Re: Password leakage avoidance

From: Joe Conway <mail(at)joeconway(dot)com>
To: Peter Eisentraut <peter(at)eisentraut(dot)org>, PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org>
Cc: Dave Cramer <davecramer(at)postgres(dot)rocks>
Subject: Re: Password leakage avoidance
Date: 2023-12-27 20:53:35
Message-ID: 5fab9468-705c-4401-94b1-b9dd1eb6017c@joeconway.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 12/27/23 15:39, Peter Eisentraut wrote:
> On 23.12.23 16:13, Joe Conway wrote:
>> I have recently, once again for the umpteenth time, been involved in
>> discussions around (paraphrasing) "why does Postgres leak the passwords
>> into the logs when they are changed". I know well that the canonical
>> advice is something like "use psql with \password if you care about that".
>>
>> And while that works, it is a deeply unsatisfying answer for me to give
>> and for the OP to receive.
>>
>> The alternative is something like "...well if you don't like that, use
>> PQencryptPasswordConn() to roll your own solution that meets your
>> security needs".
>>
>> Again, not a spectacular answer IMHO. It amounts to "here is a
>> do-it-yourself kit, go put it together". It occurred to me that we can,
>> and really should, do better.
>>
>> The attached patch set moves the guts of \password from psql into the
>> libpq client side -- PQchangePassword() (patch 0001).
>>
>> The usage in psql serves as a ready built-in test for the libpq function
>> (patch 0002). Docs included too (patch 0003).
>
> I don't follow how you get from the problem statement to this solution.
> This proposal doesn't avoid password leakage, does it?

Yes, it most certainly does. The plaintext password would never be seen
by the server and therefore never logged. This is exactly why the
feature already existed in psql.

> It just provides a different way to phrase the existing solution.

Yes, a fully built one that is convenient to use, and does not ask
everyone to roll their own.

> Who is a potential user of this solution?

Literally every company that has complained that Postgres pollutes their
logs with plaintext passwords. I have heard the request to provide a
better solution many times, over many years, while working for three
different companies.

> Right now it just saves a dozen lines in psql, but it's not clear how
> it improves anything else.

It is to me, and so far no one else has complained about that. More
opinions would be welcomed of course.

--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2023-12-27 21:09:55 Re: Password leakage avoidance
Previous Message Peter Eisentraut 2023-12-27 20:39:48 Re: Password leakage avoidance