Home > mailing lists

Re: BUG #16449: Log file and the query field of thepg_stat_statements table display clear text password. - Mailing list pgsql-bugs

From	Michael Paquier
Subject	Re: BUG #16449: Log file and the query field of thepg_stat_statements table display clear text password.
Date	May 19, 2020 07:02:57
Msg-id	20200519070257.GF11835@paquier.xyz Whole thread Raw
In response to	Re: BUG #16449: Log file and the query field of thepg_stat_statements table display clear text password. (Oleksandr Shulgin <oleksandr.shulgin@zalando.de>)
List	pgsql-bugs

Tree view

On Tue, May 19, 2020 at 08:22:09AM +0200, Oleksandr Shulgin wrote:
> I think it's worth noting that using psql's \password command still results
> in an ALTER USER being sent to the server, and thus ending up in the logs.
> The difference is that the logged password is already encrypted:
>
> postgres=# \set ECHO_HIDDEN
> postgres=# \password t
> Enter new password:
> Enter it again:
> ********* QUERY **********
> ALTER USER t PASSWORD 'md5cf853b7f00ed64ef120b3f6af0d073c2'
> **************************

Even with that, please also remember that for a md5-hashed password,
having the MD5 hash is enough to be able to log into the server.
That's not the case with SCRAM...
--
Michael

Attachment

signature.asc

pgsql-bugs by date:

From: Oleksandr Shulgin
Date: 19 May 2020, 06:22:09
Subject: Re: BUG #16449: Log file and the query field of thepg_stat_statements table display clear text password.

From: wenjing zeng
Date: 19 May 2020, 08:19:56
Subject: Re: [bug] Table not have typarray when created by single user mode

Re: BUG #16449: Log file and the query field of thepg_stat_statements table display clear text password. - Mailing list pgsql-bugs

Attachment

Previous

Next