From: | Dominique Devienne <ddevienne(at)gmail(dot)com> |
---|---|
To: | mbork(at)mbork(dot)pl |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: What are best practices wrt passwords? |
Date: | 2024-10-16 12:41:47 |
Message-ID: | CAFCRh-8dM4bLGTKcv1v5wC9guhY_b5G=6w-ivHM4UJGwMUyWaA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Wed, Oct 16, 2024 at 2:25 PM <mbork(at)mbork(dot)pl> wrote:
> I'd like to be able to use psql without typing passwords again and
> again. I know about `.pgpass` and PGPASSFILE, but I specifically do not
> want to use it - I have the password in the `.env` file, and having it
> in _two_ places comes with its own set of problems, like how to make
> sure they don't get out of sync.
What's wrong with PGPASSWORD?
https://www.postgresql.org/docs/current/libpq-envars.html
> I understand why giving the password on the command line or in an
> environment variable is a security risk (because of `ps`), but I do not
> understand why `psql` doesn't have an option like `--password-command`
> accepting a command which then prints the password on stdout. For
> example, I could then use `pass` (https://www.passwordstore.org/) with
> gpg-agent.
It's not psql, it's libpq, that does that, FTR.
My own apps are libpq based, and inherit all its env-vars and defaults.
But I'd welcome a way to store password encrypted,
unlike the current mechanisms. And what you propose
would allow that I guess, if I understand correctly. So +1.
(and since transient better than enrypted/obfuscated passwords)
> Is there any risk associated with this usage pattern? What is the
> recommended practice in my case other than using `.pgpass`?
Storing password in plain text? --DD
From | Date | Subject | |
---|---|---|---|
Next Message | felix.quintgz | 2024-10-16 14:16:45 | Re: What are best practices wrt passwords? |
Previous Message | Richards, Nina | 2024-10-16 11:57:14 | Re: Support for dates before 4713 BC |