Re: Passwords in clear text in server log

On Wed, Oct 11, 2017 at 9:48 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Don Seiler <don(at)seiler(dot)us> writes:
> > When I run a CREATE USER or ALTER USER statement and set a password for a
> > user, that statement gets printed to the server log, along with the
> > password, IN CLEAR TEXT.
>
> This is why psql has provisions for encrypting a new password on the
> client side --- see \password.
>

That's nice to have that option, but why even make it an option? If this
is a dead horse that was finished being beaten years ago, my apologies. I'm
curious what other non-psql clients do when allowing a user to change their
password, I've only ever tried it with psql on the local DB host.

More generally, almost any SQL command might contain data that somebody
> thinks is sensitive for some purpose or other. If you're going to log
> commands, it behooves you to make sure the log is not widely readable.

I strongly disagree. Sure, I might have HIPAA or financial data but we're
talking about database user security here. Why would we *ever* want that
logged to server logs? Regardless of if it was initially transmitted over
the wire in plain text or whatever else the client/user can control, there
should never be a reason to log that value in clear text (IMHO). It seems
like it would only ever be a liability. Log the CREATE/ALTER user command
(according to the log_statement value) but mask the password.

--
Don Seiler
www.seiler.us