Re: Bug Report - PGAdmin3 windows pgpass.conf passwords stored in plain text

Joe Moyle wrote:
>> Joe Moyle wrote:
> ...
>>> While doing some poking around I discovered that the passwords in
> the
>>> pgpass.conf file are stored in plain text. I consider this a bug.
> ...
>>> Would the 'powers that be' list this as a bug and add it to the TODO
>>> list?
>> This is how PostgreSQL's libpq requires the file to be formatted.
>>
>> Regards, Dave.
>
> First let me say that I'm not a programmer (wanna-be at best) so I'm
> asking forgiveness in advance if I use the wrong nomenclature or fail to
> communicate what I'm thinking in terms that interested parties can
> easily understand.
>
> I'm looking at the documentation for the libpq method called
> PQconnectdb. I see that it requires user and password in a scenario
> like I've got my server set up. I still think that PGA3 storing the
> password in plain text is a bug. Wouldn't it be better if it stored it
> encrypted using an encryption algorithm that can be unencrypted so that
> it could be unencrypted and then sent to libpq in plain text?
>
> When trying to answer this question for myself I thought that it might
> be pointless because some key would be required for unencrypting. I
> then thought that if I had to type in the key every time it would blow
> my lazy desire to type less out of the water. Upon further reflection I
> thought that it would still be better since I would only have to
> remember one key instead of the various username/password combinations.
>
> I can't help but feel I'm missing something obvious here but am just too
> ignorant to know it. I'll continue reading the libpq documentation and
> thinking about it.
>

pgAdmin only ever writes the file, libpq does the reading so we have to
write it in the format it dictates. See
http://www.postgresql.org/docs/8.2/interactive/libpq-pgpass.html for
more info.

pgAdmin 1.8 does also warn you about the possible consequences of having
an unsecured pgpass file.

Regards, Dave.