Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1t13Lo-00EUa8-H4
	for pgsql-general@arkaria.postgresql.org; Wed, 16 Oct 2024 12:42:04 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1t13Lm-002q4Z-MP
	for pgsql-general@arkaria.postgresql.org; Wed, 16 Oct 2024 12:42:03 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ddevienne@gmail.com>)
	id 1t13Lm-002q4G-8X
	for pgsql-general@lists.postgresql.org; Wed, 16 Oct 2024 12:42:02 +0000
Received: from mail-oi1-x230.google.com ([2607:f8b0:4864:20::230])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <ddevienne@gmail.com>)
	id 1t13Lj-001BGr-Rl
	for pgsql-general@postgresql.org; Wed, 16 Oct 2024 12:42:01 +0000
Received: by mail-oi1-x230.google.com with SMTP id 5614622812f47-3e5f6e44727so325745b6e.0
        for <pgsql-general@postgresql.org>; Wed, 16 Oct 2024 05:41:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1729082519; x=1729687319; darn=postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=uzEvo9tzX4Bj9Hvadp5lwSdqONyBhNGUZFoc65tIYaw=;
        b=T7jpTw2N65ZdAypGsYOHbKfI7grMqOdQ8um1slR5VjAgG0kRxcP6bz5QSUUj2plyn2
         B7Fv+XSehHYa6sPSDWoAvYrLrb9cgdigGbBqqvbaN1kvY+co4X2b7OtEn+gyW0nzRU8O
         VTMRwviA9mzU5+K5mdSqSTnyvjKx6gvn8SpAXmUztaij1Unem5ryf2uep1Z4T5scmnb7
         BRthtvk/ET1EUrosKDO3xA/cj7RQMtIYLsavZFCYnLhAlrb226yE8DaorO7ReNHpCTNk
         IuIEQhT/B5NsF+bg37OdrmdH1nkthjKwRhcyN3NNrQlAsuFSuA5Y4lBscFT1xPefw9pH
         ENaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1729082519; x=1729687319;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=uzEvo9tzX4Bj9Hvadp5lwSdqONyBhNGUZFoc65tIYaw=;
        b=oeXDAyJ3y4/fnB6E3QNhydFwgEf0QK/ubYAp3aPdNpp8j9U7CdHVN3EvP5+50F8HsK
         8/shl0YCRh7yUN2+1Hy4awNjxG+kYfEe97/BYcl0AJTCE15IPFvIUziksOCDbKxlf1Hf
         QNWv/5J9dmlPsJRFOr4+8IY96JPDS/v0gg3RCpN3ABPlkr6qJRzwPCZf6HXQ9asDzV4j
         EIVs41XnlRjXXnG9YAghltVDY/oGjpmhtWp75PpB3R3L/yjtf48TXY2skiZo/SasGfhz
         ts72jls8tfCxqG3K19JFcR7oEBbv/wjf8EkMa9kGASotAVMoFceD7Jn3RoKD7gVtEq63
         abbw==
X-Gm-Message-State: AOJu0Yzh/XGY+srfZV0ZgylVDciLvppheBD+rYleAa7jTLQ96iTHzddq
	rUbCgjPpqWDwHrv5eX0Y1edp+oRCOFy+phimYkV2p05WW+Yh2bx9x7U0nd498dTFI8eqjvdRS7X
	hm7I2fedcPk6Th7GtO2FfKxNKQac=
X-Google-Smtp-Source: AGHT+IEXeytzNdZF7g4SIZc2V/y8tWnk1HvWzhLb8jcH52qKPvrInmvcw6e4HMMbkBhQVDcwx9T+3oORwc5SwiuFm58=
X-Received: by 2002:a05:6808:210a:b0:3e4:bcdc:500b with SMTP id
 5614622812f47-3e5d2327389mr9056297b6e.32.1729082518822; Wed, 16 Oct 2024
 05:41:58 -0700 (PDT)
MIME-Version: 1.0
References: <87o73kgzkd.fsf@mbork.pl>
In-Reply-To: <87o73kgzkd.fsf@mbork.pl>
From: Dominique Devienne <ddevienne@gmail.com>
Date: Wed, 16 Oct 2024 14:41:47 +0200
Message-ID: <CAFCRh-8dM4bLGTKcv1v5wC9guhY_b5G=6w-ivHM4UJGwMUyWaA@mail.gmail.com>
Subject: Re: What are best practices wrt passwords?
To: mbork@mbork.pl
Cc: pgsql-general@postgresql.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAFCRh-8dM4bLGTKcv1v5wC9guhY_b5G%3D6w-ivHM4UJGwMUyWaA%40mail.gmail.com>
Precedence: bulk

On Wed, Oct 16, 2024 at 2:25=E2=80=AFPM <mbork@mbork.pl> wrote:
> I'd like to be able to use psql without typing passwords again and
> again.  I know about `.pgpass` and PGPASSFILE, but I specifically do not
> want to use it - I have the password in the `.env` file, and having it
> in _two_ places comes with its own set of problems, like how to make
> sure they don't get out of sync.

What's wrong with PGPASSWORD?
https://www.postgresql.org/docs/current/libpq-envars.html

> I understand why giving the password on the command line or in an
> environment variable is a security risk (because of `ps`), but I do not
> understand why `psql` doesn't have an option like `--password-command`
> accepting a command which then prints the password on stdout.  For
> example, I could then use `pass` (https://www.passwordstore.org/) with
> gpg-agent.

It's not psql, it's libpq, that does that, FTR.
My own apps are libpq based, and inherit all its env-vars and defaults.

But I'd welcome a way to store password encrypted,
unlike the current mechanisms. And what you propose
would allow that I guess, if I understand correctly. So +1.
(and since transient better than enrypted/obfuscated passwords)

> Is there any risk associated with this usage pattern?  What is the
> recommended practice in my case other than using `.pgpass`?

Storing password in plain text? --DD