Re: What are best practices wrt passwords?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Dominique Devienne <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: What are best practices wrt passwords?
Date: Wed, 16 Oct 2024 14:41:47 +0200
Message-ID: <CAFCRh-8dM4bLGTKcv1v5wC9guhY_b5G=6w-ivHM4UJGwMUyWaA@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>

On Wed, Oct 16, 2024 at 2:25 PM <[email protected]> wrote:
> I'd like to be able to use psql without typing passwords again and
> again.  I know about `.pgpass` and PGPASSFILE, but I specifically do not
> want to use it - I have the password in the `.env` file, and having it
> in _two_ places comes with its own set of problems, like how to make
> sure they don't get out of sync.

What's wrong with PGPASSWORD?
https://www.postgresql.org/docs/current/libpq-envars.html

> I understand why giving the password on the command line or in an
> environment variable is a security risk (because of `ps`), but I do not
> understand why `psql` doesn't have an option like `--password-command`
> accepting a command which then prints the password on stdout.  For
> example, I could then use `pass` (https://www.passwordstore.org/) with
> gpg-agent.

It's not psql, it's libpq, that does that, FTR.
My own apps are libpq based, and inherit all its env-vars and defaults.

But I'd welcome a way to store password encrypted,
unlike the current mechanisms. And what you propose
would allow that I guess, if I understand correctly. So +1.
(and since transient better than enrypted/obfuscated passwords)

> Is there any risk associated with this usage pattern?  What is the
> recommended practice in my case other than using `.pgpass`?

Storing password in plain text? --DD

view thread (4+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: What are best practices wrt passwords?
  In-Reply-To: <CAFCRh-8dM4bLGTKcv1v5wC9guhY_b5G=6w-ivHM4UJGwMUyWaA@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox