On Sun, Feb 19, 2017 at 6:13 PM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> On Sun, Feb 19, 2017 at 8:03 PM, Magnus Hagander <magnus@hagander.net> wrote:
>> If password auth is used, we have to store the password in plaintext
>> equivalent somewhere. Meaning it's by definition going to be exposed to
>> superusers and replication downstreams.
>
> Another possibility is to mention the use of the new passfile
> parameter for connection strings in the docs... This removes the need
> to have plain passwords directly stored in the database. Not sure if
> that's better though because that still mean that the password is
> present in plain format somewhere.
The real solution to "the password is present in plain form somewhere"
is probably "don't use passwords for authentication". Because,
ultimately, a password by its nature has to exist in plain form
somewhere, at least in someone's brain, and very likely in their
password manager or the post-it stuck to their desk or the Notes app
on their iPhone or similar. If the password is simple enough that the
DBA can be certain of remembering it without any sort of memory aid,
it's probably dumb simple. If the DBA has few enough distinct
passwords that he doesn't need a memory aid just on the basis of sheer
volume of passwords needing to be remembered, that's probably not good
either.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company