Home > mailing lists

Re: pg_stat_statements showing passwords while create or alterusers. - Mailing list pgsql-docs

From	Laurenz Albe
Subject	Re: pg_stat_statements showing passwords while create or alterusers.
Date	April 17, 2020 10:01:12
Msg-id	b9d9738794d77406fc3abe601658970381c67057.camel@cybertec.at Whole thread Raw
In response to	pg_stat_statements showing passwords while create or alter users. (PG Doc comments form <noreply@postgresql.org>)
List	pgsql-docs

Tree view

On Fri, 2020-04-17 at 02:01 +0000, PG Doc comments form wrote:
> pg_stat_statements is recording passwords also, is there any way to avoid
> the logging of passwords without droping extension package.
> testdb=> create user test1 with password 'test123';
> CREATE ROLE
> testdb=> create user test2 with encrypted password 'test123';
> CREATE ROLE
> test=> select query from pg_stat_statements where query like '%test%';
>                            query
> -----------------------------------------------------------
> create user test1 with encrypted password 'test123'
> create user test2 with password 'test123'

There is no way to obfuscate such passwords.
Note that these statements will also show up in the server log
if you set "log_statement = 'ddl'".

For these reasons it is recommended to never set your password like
this, but always hash it on the client side first.

Most interactive clients have a way to do that, like psql`s "\password".

Yours,
Laurenz Albe
-- 
Cybertec | https://www.cybertec-postgresql.com

pgsql-docs by date:

From: Magnus Hagander
Date: 17 April 2020, 09:57:24
Subject: Re: pg_stat_statements showing passwords while create or alter users.

From: PG Doc comments form
Date: 17 April 2020, 10:37:52
Subject: PDF documentation bug: different table columns overlap and are unreadable

Re: pg_stat_statements showing passwords while create or alterusers. - Mailing list pgsql-docs

Previous

Next