On Mon, Feb 24, 2025 at 09:26:07AM -0500, Greg Sabino Mullane wrote: > * Lay the groundwork for eventually disallowing plain text passwords > completely. A long way off, but this is the start. After a couple years, we > could switch the default from "warn" to "disallow". A few years after that, > disallow completely.
I wonder how folks feel about the idea of removing the ability to send passwords to the server in clear text. There may be some scenarios where clear text is probably fine, and most of passwordcheck's checks rely on being able to see the clear text password, but we've long encouraged folks to "pre-encrypt" passwords. I also think it's hard to argue that sending a clear text password is much more convenient than createuser or \password (not to mention the PQchangePassword() function in libpq). That being said, this seems like it has the potential to break a lot of stuff, and we probably ought to be cautious about that, too. This is perhaps a nitpick, but one issue with ERROR-ing for clear text passwords is that the default logging settings seem to send the statement to the logs, too. So, it might actually increase the likelihood of the password showing up in the logs. I'm not sure what else could be done, but I believe the conventional wisdom is that logs can contain sensitive information, so maybe it's okay... It still seems weird to me to try to help folks to avoid logging passwords by logging their passwords. -- nathan
