On Fri, 2020-04-17 at 02:01 +0000, PG Doc comments form wrote:
> pg_stat_statements is recording passwords also, is there any way to avoid
> the logging of passwords without droping extension package.
> testdb=> create user test1 with password 'test123';
> CREATE ROLE
> testdb=> create user test2 with encrypted password 'test123';
> CREATE ROLE
> test=> select query from pg_stat_statements where query like '%test%';
> query
> -----------------------------------------------------------
> create user test1 with encrypted password 'test123'
> create user test2 with password 'test123'
There is no way to obfuscate such passwords.
Note that these statements will also show up in the server log
if you set "log_statement = 'ddl'".
For these reasons it is recommended to never set your password like
this, but always hash it on the client side first.
Most interactive clients have a way to do that, like psql`s "\password".
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com