On Mon, 24 Feb 2025 at 15:47, Nathan Bossart <nathandboss...@gmail.com> wrote:
This is perhaps a nitpick, but one issue with ERROR-ing for clear text > passwords is that the default logging settings seem to send the statement > to the logs, too. So, it might actually increase the likelihood of the > password showing up in the logs. I'm not sure what else could be done, but > I believe the conventional wisdom is that logs can contain sensitive > information, so maybe it's okay... It still seems weird to me to try to > help folks to avoid logging passwords by logging their passwords. > It is definitely ironic, but it’s non-routinely logging their proposed new password which, due to the server settings, does not actually get set as the new password, in order to prevent routinely logging their passwords. What I mean is, after the error is thrown and the proposed password logged, they need to re-try with a pre-encrypted password which will not be logged. If they choose a new password, then the logged one is irrelevant, and even if they don't, it's just one password rather than all the ones they change. So on the whole I think this is good. And in any case I believe the existing behaviour can still be had by configuration so we're not really imposing anything on anybody.
