| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Oleksandr Shulgin <oleksandr(dot)shulgin(at)zalando(dot)de> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, abcxiaod(at)126(dot)com, PostgreSQL mailing lists <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: BUG #16449: Log file and the query field of the pg_stat_statements table display clear text password. |
| Date: | 2020-05-19 07:02:57 |
| Message-ID: | 20200519070257.GF11835@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Tue, May 19, 2020 at 08:22:09AM +0200, Oleksandr Shulgin wrote:
> I think it's worth noting that using psql's \password command still results
> in an ALTER USER being sent to the server, and thus ending up in the logs.
> The difference is that the logged password is already encrypted:
>
> postgres=# \set ECHO_HIDDEN
> postgres=# \password t
> Enter new password:
> Enter it again:
> ********* QUERY **********
> ALTER USER t PASSWORD 'md5cf853b7f00ed64ef120b3f6af0d073c2'
> **************************
Even with that, please also remember that for a md5-hashed password,
having the MD5 hash is enough to be able to log into the server.
That's not the case with SCRAM...
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | wenjing zeng | 2020-05-19 08:19:56 | Re: [bug] Table not have typarray when created by single user mode |
| Previous Message | Oleksandr Shulgin | 2020-05-19 06:22:09 | Re: BUG #16449: Log file and the query field of the pg_stat_statements table display clear text password. |