Re: Passwords in clear text in server log

On Wed, Oct 11, 2017 at 9:22 AM, Don Seiler <don(at)seiler(dot)us> wrote:
> On Wed, Oct 11, 2017 at 9:48 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>
>> Don Seiler <don(at)seiler(dot)us> writes:
>> > When I run a CREATE USER or ALTER USER statement and set a password for
>> > a
>> > user, that statement gets printed to the server log, along with the
>> > password, IN CLEAR TEXT.
>>
>> This is why psql has provisions for encrypting a new password on the
>> client side --- see \password.
>
>
> That's nice to have that option, but why even make it an option? If this is
> a dead horse that was finished being beaten years ago, my apologies. I'm
> curious what other non-psql clients do when allowing a user to change their
> password, I've only ever tried it with psql on the local DB host.
>
>> More generally, almost any SQL command might contain data that somebody
>> thinks is sensitive for some purpose or other. If you're going to log
>> commands, it behooves you to make sure the log is not widely readable.
>
>
> I strongly disagree. Sure, I might have HIPAA or financial data but we're
> talking about database user security here. Why would we *ever* want that
> logged to server logs? Regardless of if it was initially transmitted over
> the wire in plain text or whatever else the client/user can control, there
> should never be a reason to log that value in clear text (IMHO). It seems
> like it would only ever be a liability. Log the CREATE/ALTER user command
> (according to the log_statement value) but mask the password.

FYI our standard hack here is to run

set log_statement='none';
alter user ...

I do agree it would be nice to have postgres stamp out the password
field with *** when logging though