On Mon, Feb 24, 2025 at 09:26:07AM -0500, Greg Sabino Mullane wrote:
> * Lay the groundwork for eventually disallowing plain text passwords
> completely. A long way off, but this is the start. After a couple years, we
> could switch the default from "warn" to "disallow". A few years after that,
> disallow completely.
I wonder how folks feel about the idea of removing the ability to send
passwords to the server in clear text. There may be some scenarios where
clear text is probably fine, and most of passwordcheck's checks rely on
being able to see the clear text password, but we've long encouraged folks
to "pre-encrypt" passwords. I also think it's hard to argue that sending a
clear text password is much more convenient than createuser or \password
(not to mention the PQchangePassword() function in libpq). That being
said, this seems like it has the potential to break a lot of stuff, and we
probably ought to be cautious about that, too.
This is perhaps a nitpick, but one issue with ERROR-ing for clear text
passwords is that the default logging settings seem to send the statement
to the logs, too. So, it might actually increase the likelihood of the
password showing up in the logs. I'm not sure what else could be done, but
I believe the conventional wisdom is that logs can contain sensitive
information, so maybe it's okay... It still seems weird to me to try to
help folks to avoid logging passwords by logging their passwords.
--
nathan
