Re: Redact user password on pg_stat_statements

Greg Sabino Mullane <htamfids(at)gmail(dot)com> writes:
> I'm wondering what else we can do to discourage this pattern, however.
> There are more secure ways to set/change a password, but we keep seeing
> plain text pop up in various contexts. Maybe a strong warning+hint when
> someone uses these commands? A future GUC to disable it by default?

Hmm, we could imagine a GUC that disables accepting a plain-text
password, all right. (We already assume the server can tell the
difference between encrypted and plain passwords.)

We already have this behavior:

regression=# set password_encryption = md5;
SET
regression=# create user joe password 'joe';
WARNING: setting an MD5-encrypted password
DETAIL: MD5 password support is deprecated and will be removed in a future release of PostgreSQL.
HINT: Refer to the PostgreSQL documentation for details about migrating to another password type.
CREATE ROLE

Refusing plain-text seems pretty adjacent to that.

One concern is that while psql has the ability to construct an
encrypted password client-side, I'm not sure whether other clients
such as pgAdmin have grown equivalent features. Putting in this
sort of restriction would move that from nice-to-have to a
virtual necessity, so it'd put some pressure on client authors.

regards, tom lane