Re: Changing Passwords as Encrypted not Clear-Text

From: MURAT KOÇ <m(dot)koc21(at)gmail(dot)com>
To: Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org
Subject: Re: Changing Passwords as Encrypted not Clear-Text
Date: 2011-12-19 15:26:33
Message-ID: CAA4y46zTcMZXewE8QffSTHpwiCHNXeG+1iwVRvsabTw+dx5hWA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hi Adrian,

I wrote a desktop application on Windows by using "Npgsql.dll". So, I send
SQL statement to database from this application code. I can't use psql
command line (I know "\password" command changes password encrypted text).

Because of this, I have to use "ALTER USER" statement from application
code. Or what could you give another advice?

Best Regards
Murat KOC

2011/12/19 Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com>

> On Monday, December 19, 2011 5:01:28 am MURAT KOÇ wrote:
> > Hi List,
> >
> > When I try to change my db password like below SQL statement from psql or
> > pgAdmin tool, it outputs to server logs as like this:
> >
> > *postgres=# alter user mkoc password 'dummy';
> > ALTER ROLE
> > postgres=# alter user mkoc with password 'dummy';
> > ALTER ROLE
> > *
> >
> > *Server Logs must be;
> > *2011-12-19 14:35:31
> > EET--postgres--postgres--[local]--psql--idle--00000LOG: statement: alter
> > user mkoc password *values 'XFADIT9248fDSKFD';*
> > **
> > Is it possible to see changing passwords as encrypted? How should I
> change
> > password or what is the correct sql statement to change user password?
>
> http://www.postgresql.org/docs/9.0/interactive/sql-alterrole.html
> "Caution must be exercised when specifying an unencrypted password with
> this
> command. The password will be transmitted to the server in cleartext, and
> it
> might also be logged in the client's command history or the server log.
> psql
> contains a command \password that can be used to change a role's password
> without exposing the cleartext password."
>
> The above is incorrect in that encrypted passwords will also be sent as
> clear
> text.
>
> http://www.postgresql.org/docs/9.0/interactive/app-psql.html
> "\password [ username ]
>
> Changes the password of the specified user (by default, the current
> user).
> This command prompts for the new password, encrypts it, and sends it to the
> server as an ALTER ROLE command. This makes sure that the new password
> does not
> appear in cleartext in the command history, the server log, or elsewhere.
> "
>
> >
> > Best Regards,
> > Murat KOC
>
> --
> Adrian Klaver
> adrian(dot)klaver(at)gmail(dot)com
>

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Alban Hertroys 2011-12-19 15:32:34 Re: Changing Passwords as Encrypted not Clear-Text
Previous Message MURAT KOÇ 2011-12-19 15:19:23 Re: Changing Passwords as Encrypted not Clear-Text