Hi,
> There have been a few complaints lately about the fact that we cavalierly allow clear text passwords to be sent when
doingCREATE USER or ALTER USER. These, of course, can end up in many places, such as pg_stat_activity,
pg_stat_statements,.psql_history, and the server logs. It is a genuinely valid complaint, and for security purposes,
thereis little recourse other than telling users "don't do that". The canonical recommendation is to use psql's awesome
\passwordfeature. Second best is to use your application/driver of choice, which hopefully has support for not sending
passwordsin the clear.
If the problem is that the password might be logged, wouldn't a proper
solution be not to log such queries?
I don't see how a warning and an extra GUC will improve the overall
security of the system, and I suspect very few users will voluntarily
trade convenience to security by choosing "disallow". So in its
current state the patch doesn't seem to help much.
--
Best regards,
Aleksander Alekseev
