On Wed, Oct 11, 2017 at 9:48 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Don Seiler <don@seiler.us> writes: > When I run a CREATE USER or ALTER USER statement and set a password for a > user, that statement gets printed to the server log, along with the > password, IN CLEAR TEXT.
This is why psql has provisions for encrypting a new password on the client side --- see \password.
That's nice to have that option, but why even make it an option? If this is a dead horse that was finished being beaten years ago, my apologies. I'm curious what other non-psql clients do when allowing a user to change their password, I've only ever tried it with psql on the local DB host.
More generally, almost any SQL command might contain data that somebody thinks is sensitive for some purpose or other. If you're going to log commands, it behooves you to make sure the log is not widely readable.
I strongly disagree. Sure, I might have HIPAA or financial data but we're talking about database user security here. Why would we *ever* want that logged to server logs? Regardless of if it was initially transmitted over the wire in plain text or whatever else the client/user can control, there should never be a reason to log that value in clear text (IMHO). It seems like it would only ever be a liability. Log the CREATE/ALTER user command (according to the log_statement value) but mask the password.