LOG: statement: alter user john password 'IloveDBAs';
The username and password have obviously been changed but the point is plain: PostgreSQL printed the password value in plain text to the log file. A few tests of my own confirmed that whenever the PASSWORD specification is used in a CREATE USER or ALTER USER command, it will be printed to the server log:
LOG: statement: create user john password 'badidea';
LOG: statement: alter user john password 'alsobad';
Backfilling some helpful comments from the original blog post that were lost in migration.
Jeremy Scheider writes:
I suspect that you don't want the md5 hashes to get logged either. This might be a good read:
comment on that link: "The hash in the pg_shadow table is now a password equivalent. When an attackers steals this table (we assume this will happen eventually), she just uses any hash for authentication without even spending time to crack md5."
and Stephen Frost adds:
The real answer to this is to use the new SCRAM authentication method added in PostgreSQL v10, or to use a better authentication method such as Kerberos/GSSAPI or Client-Side Certificates.