Re: how _not_ to log?

From: Marko Kreen <markokr(at)gmail(dot)com>
To: Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com>
Cc: Tim Spencer <tspencer(at)cloudpassage(dot)com>, pgsql-general(at)postgresql(dot)org
Subject: Re: how _not_ to log?
Date: 2013-07-27 14:13:02
Message-ID: CACMqXCKx35Hi9GPs27mZ6=g0pRz8jB2mP+yZ2bO-z=-na6Y2-A@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Fri, Jul 26, 2013 at 2:54 AM, Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com> wrote:
> http://www.postgresql.org/docs/9.2/interactive/sql-alterrole.html
>
> Caution must be exercised when specifying an unencrypted password
> with this command. The password will be transmitted to the server in
> cleartext, and it might also be logged in the client's command history or
> the server log. psql contains a command \password that can be used to change
> a role's password without exposing the cleartext password.

Caution must be exercised with "encrypted" passwords too - they are
cleartext-equivalent, which means you can use them to log in,
without knowing the original password.

And the "encryption" is single md5() so the actual password
is relatively easy to crack too.

So avoiding logging them is good idea.

--
marko

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Janek Sendrowski 2013-07-27 17:04:15 Re: Fastest Index/Algorithm to find similar sentences
Previous Message Olivier Austina 2013-07-27 13:24:28 SQL for multimedia retrieval