public inbox for [email protected]
help / color / mirror / Atom feedFrom: Nathan Bossart <[email protected]>
To: Greg Sabino Mullane <[email protected]>
Cc: Aleksander Alekseev <[email protected]>
Cc: pgsql-hackers <[email protected]>
Subject: Re: PATCH: warn about, and deprecate, clear text passwords
Date: Mon, 24 Feb 2025 14:47:13 -0600
Message-ID: <Z7za0Q9Yj5HDU-ye@nathan> (raw)
In-Reply-To: <CAKAnmmKGWxEGbvuBAxyDWmuije8agUHTY-82DR1VEkFM2vKNTg@mail.gmail.com>
References: <CAKAnmmJcXyLeBUJfqCx+-gRmkooDPnH7OmM4o=2HJRXzbMkP_g@mail.gmail.com>
<CAJ7c6TP=nGgMhzrNgT8uzqaQj_nkT6HkYNgUyYcDqaL3R8dGog@mail.gmail.com>
<CAKAnmmKGWxEGbvuBAxyDWmuije8agUHTY-82DR1VEkFM2vKNTg@mail.gmail.com>
On Mon, Feb 24, 2025 at 09:26:07AM -0500, Greg Sabino Mullane wrote:
> * Lay the groundwork for eventually disallowing plain text passwords
> completely. A long way off, but this is the start. After a couple years, we
> could switch the default from "warn" to "disallow". A few years after that,
> disallow completely.
I wonder how folks feel about the idea of removing the ability to send
passwords to the server in clear text. There may be some scenarios where
clear text is probably fine, and most of passwordcheck's checks rely on
being able to see the clear text password, but we've long encouraged folks
to "pre-encrypt" passwords. I also think it's hard to argue that sending a
clear text password is much more convenient than createuser or \password
(not to mention the PQchangePassword() function in libpq). That being
said, this seems like it has the potential to break a lot of stuff, and we
probably ought to be cautious about that, too.
This is perhaps a nitpick, but one issue with ERROR-ing for clear text
passwords is that the default logging settings seem to send the statement
to the logs, too. So, it might actually increase the likelihood of the
password showing up in the logs. I'm not sure what else could be done, but
I believe the conventional wisdom is that logs can contain sensitive
information, so maybe it's okay... It still seems weird to me to try to
help folks to avoid logging passwords by logging their passwords.
--
nathan
view thread (2+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: PATCH: warn about, and deprecate, clear text passwords
In-Reply-To: <Z7za0Q9Yj5HDU-ye@nathan>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox