> As you can see, psql reconnect as any user if the password is same as
> foo. Of course this is due to the careless password setting, but I
> think it's better to prompt ANY TIME the user tries to switch to
> another user. Comments?

Yeah, I agree.  Looks like a simple change in dbconnect():

    /*
     * Use old password if no new one given (if you didn't have an old
     * one, fine)
     */
    if (!pwparam && oldconn)
        pwparam = PQpass(oldconn);

to

    /*
     * Use old password (if any) if no new one given and we are
     * reconnecting as same user
     */
    if (!pwparam && oldconn && PQuser(oldconn) && userparam &&
        strcmp(PQuser(oldconn), userparam) == 0)
        pwparam = PQpass(oldconn);

                        regards, tom lane