> 2022-01-05 17:35:25.831 CET [58] ERROR: syntax error at or near "$1" at > character 35 > 2022-01-05 17:35:25.831 CET [58] STATEMENT: ALTER USER postgres WITH > PASSWORD $1
Yeah, as a general rule parameters can only be used in DML commands (SELECT/INSERT/UPDATE/DELETE). Utility commands don't support them because they don't have expression-evaluation capability.
(Perhaps this will change someday, but don't hold your breath.)
> Passwords can also contain special characters. If I can't use parameters to > do this, then how should I quote them in a safe way?
Most client libraries should have a function to convert an arbitrary string into a safely-quoted SQL literal that you can embed into the command. I don't know psycopg3, so I don't know what it has for that.