Home > mailing lists

Re: how _not_ to log? - Mailing list pgsql-general

From	Marko Kreen
Subject	Re: how _not_ to log?
Date	July 27, 2013 17:13:09
Msg-id	CACMqXCKx35Hi9GPs27mZ6=g0pRz8jB2mP+yZ2bO-z=-na6Y2-A@mail.gmail.com Whole thread Raw
In response to	Re: how _not_ to log? (Adrian Klaver <adrian.klaver@gmail.com>)
List	pgsql-general

Tree view

On Fri, Jul 26, 2013 at 2:54 AM, Adrian Klaver <adrian.klaver@gmail.com> wrote:
> http://www.postgresql.org/docs/9.2/interactive/sql-alterrole.html
>
> Caution must be exercised when specifying an unencrypted password
> with this command. The password will be transmitted to the server in
> cleartext, and it might also be logged in the client's command history or
> the server log. psql contains a command \password that can be used to change
> a role's password without exposing the cleartext password.

Caution must be exercised with "encrypted" passwords too - they are
cleartext-equivalent, which means you can use them to log in,
without knowing the original password.

And the "encryption" is single md5() so the actual password
is relatively easy to crack too.

So avoiding logging them is good idea.

--
marko

pgsql-general by date:

From: Olivier Austina
Date: 27 July 2013, 16:24:32
Subject: SQL for multimedia retrieval

From: "Janek Sendrowski"
Date: 27 July 2013, 20:04:20
Subject: Re: Fastest Index/Algorithm to find similar sentences

Re: how _not_ to log? - Mailing list pgsql-general

Previous

Next