Re: What are best practices wrt passwords?

From: mbork(at)mbork(dot)pl
To: Dominique Devienne <ddevienne(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: What are best practices wrt passwords?
Date: 2024-10-16 16:16:57
Message-ID: 87frowggzq.fsf@mbork.pl
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 2024-10-16, at 14:41, Dominique Devienne <ddevienne(at)gmail(dot)com> wrote:

> On Wed, Oct 16, 2024 at 2:25 PM <mbork(at)mbork(dot)pl> wrote:
>> I'd like to be able to use psql without typing passwords again and
>> again. I know about `.pgpass` and PGPASSFILE, but I specifically do not
>> want to use it - I have the password in the `.env` file, and having it
>> in _two_ places comes with its own set of problems, like how to make
>> sure they don't get out of sync.
>
> What's wrong with PGPASSWORD?
> https://www.postgresql.org/docs/current/libpq-envars.html

`ps auxe` shows all processes with their environments, no?

>> I understand why giving the password on the command line or in an
>> environment variable is a security risk (because of `ps`), but I do not
>> understand why `psql` doesn't have an option like `--password-command`
>> accepting a command which then prints the password on stdout. For
>> example, I could then use `pass` (https://www.passwordstore.org/) with
>> gpg-agent.
>
> It's not psql, it's libpq, that does that, FTR.

Good point, thanks.

> My own apps are libpq based, and inherit all its env-vars and defaults.
>
> But I'd welcome a way to store password encrypted,
> unlike the current mechanisms. And what you propose
> would allow that I guess, if I understand correctly. So +1.
> (and since transient better than enrypted/obfuscated passwords)
>
>> Is there any risk associated with this usage pattern? What is the
>> recommended practice in my case other than using `.pgpass`?
>
> Storing password in plain text? --DD

You have to store it somewhere on the server where your application
(which connects to the database) lives anyway, right? I see no
significant difference wrt security between .env and .pgpass. (Though
I'm far from a security expert.)

Best,

--
Marcin Borkowski
https://mbork.pl
https://crimsonelevendelightpetrichor.net/

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Bruce Momjian 2024-10-16 16:33:01 Re: What are best practices wrt passwords?
Previous Message Alvaro Herrera 2024-10-16 14:37:11 Re: What are best practices wrt passwords?