Re: PATCH: warn about, and deprecate, clear text passwords

On Wed, Mar 19, 2025 at 10:06:58AM -0400, Robert Haas wrote: > On Wed, Mar 19, 2025 at 9:24 AM Greg Sabino Mullane > wrote: >>> The user has no particular reason to care about the fact that the >>> password they just typed ended up in the log. That is a concern for the >>> DBA, not the user, and

Re: PATCH: warn about, and deprecate, clear text passwords

On Wed, Mar 19, 2025 at 9:24 AM Greg Sabino Mullane wrote: >> The user has no particular reason to care about the fact that the password >> they just typed ended up in the log. That is a concern for >> the DBA, not the user, and even if they care about the DBA's feelings, they >> only get the wa

Re: PATCH: warn about, and deprecate, clear text passwords

On Wed, Mar 19, 2025 at 09:24:19AM -0400, Greg Sabino Mullane wrote: > I'm a little confused at some of the pushback - this patch is 100% backwards > compatible, addresses a specific requested concern by allowing a DBA to > disallow clear text passwords, and adds a warning to what is clearly a bad

Re: PATCH: warn about, and deprecate, clear text passwords

> > The user has no particular reason to care about the fact that the password > they just typed ended up in the log. That is a concern for > the DBA, not the user, and even if they care about the DBA's feelings, > they only get the warning after it's too late to do otherwise. Can't the same be s

Re: PATCH: warn about, and deprecate, clear text passwords

On Sun, Mar 16, 2025 at 11:36 PM David G. Johnston wrote: > It could also be: > > warning: your password is known to Big Brother > hint: use psql \password to supply a private password, or see “docs/wiki > page” for more details and a way to pre-compute and send a private password > via SQL. OK

PATCH: warn about, and deprecate, clear text passwords

On Sunday, March 16, 2025, Robert Haas wrote: > > > WARNING: you just caused a problem for somebody else > > The user has no particular reason to care about the fact that the > password they just typed ended up in the log. > It could also be: warning: your password is known to Big Brother hint:

Re: PATCH: warn about, and deprecate, clear text passwords

On Fri, Mar 14, 2025 at 2:50 PM Greg Sabino Mullane wrote: > I'd rather not sit on this another year, if we can help it. We really should > be warning people about this practice. The exact wording of the hint can be > up for debate (or postponed - we technically don't have to say anything other

Re: PATCH: warn about, and deprecate, clear text passwords

On Fri, Mar 14, 2025 at 12:50 PM Greg Sabino Mullane wrote: > I'd rather not sit on this another year, if we can help it. We really > should be warning people about this practice. The exact wording of the hint > can be up for debate (or postponed - we technically don't have to say > anything othe

Re: PATCH: warn about, and deprecate, clear text passwords

On Mon, Mar 03, 2025 at 01:54:59PM -0500, Robert Haas wrote: > Oh, good point. I don't know. I just have heard a LOT of complaining > about passwords showing up in the log, and I'm not sure insisting that > they have to all be encrypted is going to make all of the complaining > stop. +1. At this

Re: PATCH: warn about, and deprecate, clear text passwords

I'd rather not sit on this another year, if we can help it. We really should be warning people about this practice. The exact wording of the hint can be up for debate (or postponed - we technically don't have to say anything other than 'bad idea'). Having the ability to disable clear text password

Re: PATCH: warn about, and deprecate, clear text passwords

Robert Haas writes: > I wonder if we could drum up some support for not including any > version of the password (even encrypted) in the query string. For > instance, let's say that to change your password you have to use the > new CHANGE PASSWORD command which can only be used at top level (not >

Re: PATCH: warn about, and deprecate, clear text passwords

On Mon, Mar 3, 2025 at 1:47 PM Tom Lane wrote: > Robert Haas writes: > > I wonder if we could drum up some support for not including any > > version of the password (even encrypted) in the query string. For > > instance, let's say that to change your password you have to use the > > new CHANGE PA

Re: PATCH: warn about, and deprecate, clear text passwords

On Mon, Mar 3, 2025 at 11:33 AM Nathan Bossart wrote: > I think it would be good to hear some other opinions on whether we should > consider sending clear-text passwords to the server as either 1) fully > supported, 2) deprecated but with no intent to remove anytime soon, or 3) > deprecated with t

Re: PATCH: warn about, and deprecate, clear text passwords

On Mon, 3 Mar 2025 at 12:07, Greg Sabino Mullane wrote: > On Mon, Mar 3, 2025 at 11:33 AM Nathan Bossart > wrote: > >> I think it would be good to hear some other opinions on whether we should >> consider sending clear-text passwords to the server as either 1) fully >> supported, 2) deprecated b

Re: PATCH: warn about, and deprecate, clear text passwords

On Mon, Mar 3, 2025 at 11:33 AM Nathan Bossart wrote: > I think it would be good to hear some other opinions on whether we should > consider sending clear-text passwords to the server as either 1) fully > supported, 2) deprecated but with no intent to remove anytime soon, or 3) > deprecated with

Re: PATCH: warn about, and deprecate, clear text passwords

On Tue, Feb 25, 2025 at 11:13:51AM -0500, Greg Sabino Mullane wrote: > On Tue, Feb 25, 2025 at 10:34 AM Nathan Bossart > wrote: >> IMHO a WARNING would really only be appropriate if we are definitely going >> to remove support in the future, and that feels like a bit of a stretch to >> me due to t

Re: PATCH: warn about, and deprecate, clear text passwords

On Tue, Feb 25, 2025 at 10:34 AM Nathan Bossart wrote: > I noticed a nearby thread [0] in which there appears to be some budding > support for a GUC that disables sending passwords to the server in > clear-text, at least for CREATE/ALTER ROLE. Yep, that was the thread that inspired this patch!

Re: PATCH: warn about, and deprecate, clear text passwords

On Mon, Feb 24, 2025 at 04:20:44PM -0500, Greg Sabino Mullane wrote: > On Mon, Feb 24, 2025 at 4:18 PM Nathan Bossart > wrote: >> Well, the discussion upthread suggests "disallowing plain text passwords >> completely" > > Yeah, that's more of a long-term dream than a real plan. It would certainly

Re: PATCH: warn about, and deprecate, clear text passwords

On Mon, Feb 24, 2025 at 4:18 PM Nathan Bossart wrote: > Well, the discussion upthread suggests "disallowing plain text passwords > completely" Yeah, that's more of a long-term dream than a real plan. It would certainly be no sooner than Postgres v24 or so... Cheers, Greg -- Crunchy Data - htt

Re: PATCH: warn about, and deprecate, clear text passwords

On Mon, Feb 24, 2025 at 04:06:41PM -0500, Isaac Morland wrote: > And in any case I believe the existing behaviour can still be had by > configuration so we're not really imposing anything on anybody. Well, the discussion upthread suggests "disallowing plain text passwords completely" [0], which me

Re: PATCH: warn about, and deprecate, clear text passwords

On Mon, 24 Feb 2025 at 15:47, Nathan Bossart wrote: This is perhaps a nitpick, but one issue with ERROR-ing for clear text > passwords is that the default logging settings seem to send the statement > to the logs, too. So, it might actually increase the likelihood of the > password showing up in

Re: PATCH: warn about, and deprecate, clear text passwords

On Mon, Feb 24, 2025 at 09:26:07AM -0500, Greg Sabino Mullane wrote: > * Lay the groundwork for eventually disallowing plain text passwords > completely. A long way off, but this is the start. After a couple years, we > could switch the default from "warn" to "disallow". A few years after that, > d

Re: PATCH: warn about, and deprecate, clear text passwords

On 24/02/2025 14:55, Greg Sabino Mullane wrote: Guillaume Lelarge > wrote: I'm obviously +1 on this patch since I sent kinda the same patch two weeks ago Ha ha, my brain forgot about that one (even though I commented on it!) - apologies for that.

Re: PATCH: warn about, and deprecate, clear text passwords

Guillaume Lelarge wrote: I'm obviously +1 on this patch since I sent kinda the same patch two weeks > ago Ha ha, my brain forgot about that one (even though I commented on it!) - apologies for that. > set password_encryption to 'md5'; > create user u4 password 'md5u1'; > ... It complains tha

Re: PATCH: warn about, and deprecate, clear text passwords

On Mon, Feb 24, 2025 at 5:07 AM Aleksander Alekseev < aleksan...@timescale.com> wrote: > If the problem is that the password might be logged, wouldn't a proper > solution be not to log such queries? > Yes, this has been discussed before. The short answer is that it is extremely difficult to imple

Re: PATCH: warn about, and deprecate, clear text passwords

Hi, > There have been a few complaints lately about the fact that we cavalierly > allow clear text passwords to be sent when doing CREATE USER or ALTER USER. > These, of course, can end up in many places, such as pg_stat_activity, > pg_stat_statements, .psql_history, and the server logs. It is

Re: PATCH: warn about, and deprecate, clear text passwords

On 22/02/2025 09:07, Guillaume Lelarge wrote: On 21/02/2025 23:33, Greg Sabino Mullane wrote: There have been a few complaints lately about the fact that we cavalierly allow clear text passwords to be sent when doing CREATE USER or ALTER USER. These, of course, can end up in many places, such

Re: PATCH: warn about, and deprecate, clear text passwords

On 21/02/2025 23:33, Greg Sabino Mullane wrote: There have been a few complaints lately about the fact that we cavalierly allow clear text passwords to be sent when doing CREATE USER or ALTER USER. These, of course, can end up in many places, such as pg_stat_activity, pg_stat_statements, .psql_

PATCH: warn about, and deprecate, clear text passwords

There have been a few complaints lately about the fact that we cavalierly allow clear text passwords to be sent when doing CREATE USER or ALTER USER. These, of course, can end up in many places, such as pg_stat_activity, pg_stat_statements, .psql_history, and the server logs. It is a genuinely vali