Re: What are best practices wrt passwords?

Alvaro Herrera <alvherre@alvh.no-ip.org>

From: Alvaro Herrera <alvherre@alvh.no-ip.org>
To: mbork@mbork.pl
Cc: pgsql-general@postgresql.org
Date: 2024-10-16T14:37:11Z
Lists: pgsql-general
On 2024-Oct-16, mbork@mbork.pl wrote:

> I understand why giving the password on the command line or in an
> environment variable is a security risk (because of `ps`), but I do not
> understand why `psql` doesn't have an option like `--password-command`
> accepting a command which then prints the password on stdout.  For
> example, I could then use `pass` (https://www.passwordstore.org/) with
> gpg-agent.

We had a patch to add PGPASSCOMMAND once:
https://www.postgresql.org/message-id/flat/CAE35ztOGZqgwae3mBA%3DL97pSg3kvin2xycQh%3Dir%3D5NiwCApiYQ%40mail.gmail.com

I don't remember the overall conclusions (other than the patch being
rejected), but maybe you can give that a read.

-- 
Álvaro Herrera         PostgreSQL Developer  —  https://www.EnterpriseDB.com/