What are best practices wrt passwords?
mbork@mbork.pl
From: mbork@mbork.pl
To: pgsql-general@postgresql.org
Date: 2024-10-16T09:35:46Z
Lists: pgsql-general
Hello all, I'd like to be able to use psql without typing passwords again and again. I know about `.pgpass` and PGPASSFILE, but I specifically do not want to use it - I have the password in the `.env` file, and having it in _two_ places comes with its own set of problems, like how to make sure they don't get out of sync. I understand why giving the password on the command line or in an environment variable is a security risk (because of `ps`), but I do not understand why `psql` doesn't have an option like `--password-command` accepting a command which then prints the password on stdout. For example, I could then use `pass` (https://www.passwordstore.org/) with gpg-agent. Is there any risk associated with this usage pattern? What is the recommended practice in my case other than using `.pgpass`? Thanks in advance, P.S. Please CC me in replies, since I'm not subscribed to the list. Thanks. -- Marcin Borkowski https://mbork.pl https://crimsonelevendelightpetrichor.net/