Password leakage avoidance - Mailing list pgsql-hackers

From Joe Conway
Subject Password leakage avoidance
Date
Msg-id b75955f7-e8cc-4bbd-817f-ef536bacbe93@joeconway.com
Whole thread Raw
Responses Re: Password leakage avoidance
Re: Password leakage avoidance
List pgsql-hackers
I have recently, once again for the umpteenth time, been involved in 
discussions around (paraphrasing) "why does Postgres leak the passwords 
into the logs when they are changed". I know well that the canonical 
advice is something like "use psql with \password if you care about that".

And while that works, it is a deeply unsatisfying answer for me to give 
and for the OP to receive.

The alternative is something like "...well if you don't like that, use 
PQencryptPasswordConn() to roll your own solution that meets your 
security needs".

Again, not a spectacular answer IMHO. It amounts to "here is a 
do-it-yourself kit, go put it together". It occurred to me that we can, 
and really should, do better.

The attached patch set moves the guts of \password from psql into the 
libpq client side -- PQchangePassword() (patch 0001).

The usage in psql serves as a ready built-in test for the libpq function 
(patch 0002). Docs included too (patch 0003).

One thing I have not done but, considered, is adding an additional 
optional parameter to allow "VALID UNTIL" to be set. Seems like it would 
be useful to be able to set an expiration when setting a new password.

I will register this in the upcoming commitfest, but meantime 
thought/comments/etc. would be gratefully received.

Thanks,

-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
Attachment

pgsql-hackers by date:

Previous
From: Peter Eisentraut
Date:
Subject: pg_stat_statements: more test coverage
Next
From: Tom Lane
Date:
Subject: Re: Password leakage avoidance