On 04/02/2025 19:14, Guillaume Lelarge wrote:
On 04/02/2025 17:59, Tom Lane wrote:
Guillaume Lelarge <guillaume.lela...@dalibo.com> writes:
v2 is attached.
This seems pretty much entirely useless to me. The password
has already been leaked to the log (*and* the network, if
session is unencrypted), so what's the point of a warning?
And as already noted, this ignores several other hazards of
the same sort, so it's more likely to create a false sense of
security than anything else.
(In addition to the points noted, what of event triggers?
Or ~/.psql_history?)
I agree that the warning itself doesn't make the password secure. But it
never pretends to do that. If I, as a user, see a message like this, my
next move will be to search for a way to change my password in a secure
way.
Warning users won't save everyone, but it may help some. Doing nothing
helps no one.
FWIW, I just set my patch to the "Withdrawn" status on the commitfest
app. Greg's patch is pretty much the same, and offers more options, I
reviewed it, and it has my vote.
--
Guillaume Lelarge
Consultant
https://dalibo.com
