Skip site navigation (1) Skip section navigation (2)

Re: Bug Report - PGAdmin3 windows pgpass.conf passwords stored in plain text

From: Dave Page <dpage(at)postgresql(dot)org>
To: Joe Moyle <jmoyle(at)paymetric(dot)com>
Cc: pgadmin-support(at)postgresql(dot)org
Subject: Re: Bug Report - PGAdmin3 windows pgpass.conf passwords stored in plain text
Date: 2007-05-23 16:25:45
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgadmin-support
Joe Moyle wrote:
>> Joe Moyle wrote:
> ...
>>> While doing some poking around I discovered that the passwords in
> the
>>> pgpass.conf file are stored in plain text.  I consider this a bug.
> ...
>>> Would the 'powers that be' list this as a bug and add it to the TODO
>>> list?
>> This is how PostgreSQL's libpq requires the file to be formatted.
>> Regards, Dave.
> First let me say that I'm not a programmer (wanna-be at best) so I'm
> asking forgiveness in advance if I use the wrong nomenclature or fail to
> communicate what I'm thinking in terms that interested parties can
> easily understand.
> I'm looking at the documentation for the libpq method called
> PQconnectdb.  I see that it requires user and password in a scenario
> like I've got my server set up.  I still think that PGA3 storing the
> password in plain text is a bug.  Wouldn't it be better if it stored it
> encrypted using an encryption algorithm that can be unencrypted so that
> it could be unencrypted and then sent to libpq in plain text?
> When trying to answer this question for myself I thought that it might
> be pointless because some key would be required for unencrypting.  I
> then thought that if I had to type in the key every time it would blow
> my lazy desire to type less out of the water.  Upon further reflection I
> thought that it would still be better since I would only have to
> remember one key instead of the various username/password combinations.
> I can't help but feel I'm missing something obvious here but am just too
> ignorant to know it.  I'll continue reading the libpq documentation and
> thinking about it.

pgAdmin only ever writes the file, libpq does the reading so we have to
write it in the format it dictates. See for
more info.

pgAdmin 1.8 does also warn you about the possible consequences of having
an unsecured pgpass file.

Regards, Dave.

In response to

pgadmin-support by date

Next:From: Guillaume LelargeDate: 2007-05-23 16:58:27
Subject: Re: Server order
Previous:From: Joe MoyleDate: 2007-05-23 16:02:21
Subject: Re: Bug Report - PGAdmin3 windows pgpass.conf passwords stored in plain text

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group