This is perhaps a nitpick, but one issue with ERROR-ing for clear text passwords is that the default logging settings seem to send the statement to the logs, too. So, it might actually increase the likelihood of the password showing up in the logs. I'm not sure what else could be done, but I believe the conventional wisdom is that logs can contain sensitive information, so maybe it's okay... It still seems weird to me to try to help folks to avoid logging passwords by logging their passwords.
It is definitely ironic, but it’s non-routinely logging their proposed new password which, due to the server settings, does not actually get set as the new password, in order to prevent routinely logging their passwords.
What I mean is, after the error is thrown and the proposed password logged, they need to re-try with a pre-encrypted password which will not be logged. If they choose a new password, then the logged one is irrelevant, and even if they don't, it's just one password rather than all the ones they change. So on the whole I think this is good. And in any case I believe the existing behaviour can still be had by configuration so we're not really imposing anything on anybody.
