Re: Rejecting weak passwords

Magnus Hagander <magnus(at)hagander(dot)net> writes:
> On Wed, Oct 14, 2009 at 18:25, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Let's see you do that (hint: "CREATD USER ... PASSWORD" is going to
>> throw a syntax error before you realize there's anything there that
>> might need to be protected).

> I'm unsure if it's our responsibility to think about that. We can leak
> a *lot* of sensitive information to the logs through syntax errors,
> this is just one of them. We *do* need to worry about the statements
> when they are sent properly, of course.

Even if they're "sent properly", this entire discussion misses the point.
The reason to not want cleartext passwords in the logs is that the user
doesn't trust the DBA. Why would a user who doesn't trust the DBA
want to trust him to not be running a modified copy of the database with
all this nice logic disabled?

The real point of crypted passwords is to not let uncrypted passwords
go anywhere outside the *user's* control. If the DBA wants to enforce
a policy that is incompatible with that, it should be extremely obvious
to all concerned that that's what he's doing. In particular it should
be in the user's face that he's about to send an uncrypted password,
so that he can think twice about the particular password he's choosing
(and hopefully not use one that's also good for another service). For
relatively smart clients like pgAdmin, there might also be an option
to refuse to send such a command across an insecure connection, or at
least nag the user about it.

regards, tom lane