Re: Changing Passwords as Encrypted not Clear-Text - Mailing list pgsql-general

From Alban Hertroys
Subject Re: Changing Passwords as Encrypted not Clear-Text
Date
Msg-id CAF-3MvPB3oBzSSHU6rm7yx-SV9qow7JK3baw9UqMqkYqNCo3Og@mail.gmail.com
Whole thread Raw
In response to Re: Changing Passwords as Encrypted not Clear-Text  (MURAT KOÇ <m.koc21@gmail.com>)
List pgsql-general
> Of course, we could create login credentials, login configuration options
> for every DBA colleagues. But, as I said previous that big problem is
> "PostgreSQL logs include changing passwords on clear-text not encrypted"

No, the big problem is that you don't consider your fellow DBA's
reliable. That's a problem you need to solve rather sooner than later.

Another problem is that you are apparently logging all SQL statements.
Not only does that store the SQL for changing database users, it will
also slow down your database. You should really only log all
statements if you're debugging something, and only temporarily.

Of course it would be nice if those passwords would be encrypted, but
they are simply part of SQL statements - there is no means in SQL to
distinguish a password string literal from any other type of literal,
until the statement hits the database.

--
If you can't see the forest for the trees,
Cut the trees and you'll see there is no forest.

pgsql-general by date:

Previous
From: Florian Weimer
Date:
Subject: Re: fsync on ext4 does not work
Next
From: Chris Angelico
Date:
Subject: Re: Feature Request: Better handling of foreign keys in DELETE statements