Database Reference
In-Depth Information
then it will be shipped to the server in plaintext, though luckily will still be stored in an
encrypted form.
PostgreSQL doesn't enforce a password change cycle, so you may wish to use more
advanced authentication mechanisms, such as GSSAPI, SSPI, LDAP, RADIUS, and so on.
Avoiding hardcoding your password
We all agree that hardcoding your password is a bad idea. This recipe shows us how to keep
the password in a secure password file.
Getting ready
Not all database users need passwords; some databases use other means of authentication.
Don't do this step unless you know you will be using password authentication, and you know
your password.
First, remove the hardcoded password from where you'd set it previously. Completely remove
the
password
=
xxxx
text from the connection string in a program. Otherwise, when you test
the password file, the hardcoded setting will override the details you are just about to place in
the file. Having the password hardcoded
and
in the password file is not any better.
Using
PGPASSWORD
is not recommended either, so remove that also.
If you think someone may have seen the password, then change your password before
placing it in the secure password file.
How to do it...
A password file contains the usual five fields that we need to connect, so that we can use file
permissions to make the password more secure:
host:port:dbname:user:password
such as
myhost:5432:postgres:sriggs:moresecure
The password file is located using an environment variable named
PGPASSFILE
. If
PGPASSFILE
is not set, then a default filename and location is searched, which:
F
On *nix systems, check for
~/.pgpass
.
F
On Windows systems, check
%APPDATA%\postgresql\pgpass.conf
, where
%APPDATA%
is the Application Data subdirectory in the path. (For me, that would
be
C:\
)
