Re: PATCH: warn about, and deprecate, clear text passwords

On Fri, Mar 14, 2025 at 2:50 PM Greg Sabino Mullane <htamfids(at)gmail(dot)com> wrote:
> I'd rather not sit on this another year, if we can help it. We really should be warning people about this practice. The exact wording of the hint can be up for debate (or postponed - we technically don't have to say anything other than 'bad idea').
>
> Having the ability to disable clear text passwords seems an immediate win for those that want to enable it. Sure, we could be doing more, but I don't see any of the proposed future changes interfering with this patch.

I don't know, I think Nathan's idea of giving ourselves more time to
decide what to do is a pretty good one. It seems clear from the
discussion so far that there are multiple ideas about what to do here,
and it's not stupid to want to give ourselves a bit of time to think
that through before committing to anything in particular. From my
point of view, the warning text here for what is proposed here almost
might almost be:

WARNING: you just caused a problem for somebody else

The user has no particular reason to care about the fact that the
password they just typed ended up in the log. That is a concern for
the DBA, not the user, and even if they care about the DBA's feelings,
they only get the warning after it's too late to do otherwise.
Blocking ALTER USER commands containing such passwords is better,
because now doing the wrong thing actually doesn't work at all, and so
they have to change their behavior if they want to get anything done.
But we don't seem to be too sure whether we can really get away with
that amount of breakage; and we also don't seem to be sure whether it
really solves the problem; and we're getting very close to feature
freeze.

--
Robert Haas
EDB: http://www.enterprisedb.com