On 1/3/24 7:53 AM, Robert Haas wrote:

Also, +1 for the general idea. I don't think this is a whole answer to
the problem of passwords appearing in log files because (1) you have
to be using libpq in order to make use of this and (2) you have to
actually use it instead of just doing something else and complaining
about the problem. But neither of those things is a reason not to have
it. There's no reason why a sophisticated user who goes through libpq
shouldn't have an easy way to do this instead of being asked to
reimplement it if they want the functionality.

ISTM the only way to really move the needle (short of removing all SQL support for changing passwords) would be a GUC that allows disabling the use of SQL for setting passwords. While that doesn't prevent leakage, it does at least force users to use a secure method of setting passwords.

-- 
Jim Nasby, Data Architect, Austin TX