Re: Password leakage avoidance

On 23.12.23 16:13, Joe Conway wrote:
> I have recently, once again for the umpteenth time, been involved in 
> discussions around (paraphrasing) "why does Postgres leak the passwords 
> into the logs when they are changed". I know well that the canonical 
> advice is something like "use psql with \password if you care about that".
> 
> And while that works, it is a deeply unsatisfying answer for me to give 
> and for the OP to receive.
> 
> The alternative is something like "...well if you don't like that, use 
> PQencryptPasswordConn() to roll your own solution that meets your 
> security needs".
> 
> Again, not a spectacular answer IMHO. It amounts to "here is a 
> do-it-yourself kit, go put it together". It occurred to me that we can, 
> and really should, do better.
> 
> The attached patch set moves the guts of \password from psql into the 
> libpq client side -- PQchangePassword() (patch 0001).
> 
> The usage in psql serves as a ready built-in test for the libpq function 
> (patch 0002). Docs included too (patch 0003).

I don't follow how you get from the problem statement to this solution. 
This proposal doesn't avoid password leakage, does it?  It just provides 
a different way to phrase the existing solution.  Who is a potential 
user of this solution?  Right now it just saves a dozen lines in psql, 
but it's not clear how it improves anything else.