Re: password is no required, authentication is overridden

From: "Andrew Dunstan"

> Thomas Bley wrote:
> 
>>
>>
>> + The .pgpass file will be automatically created if you're using 
>> pgAdmin III with "store password" being enabled in the connection 
>> settings.
>>
> 
> It strikes me that this is actually a bad thing for pgadmin3 to be 
> doing. It should use its own file, not the deafult location, at least if 
> the libpq version is >= 8.1. We provided the PGPASSFILE environment 
> setting just so programs like this could use alternative locations for 
> the pgpass file. Otherwise, it seems to me we are violating the POLS, as 
> in the case of this user who not unnaturally thought he had found a 
> major security hole.

Ummm, The function which pgAdmin offers is the optimal in present. I do not 
think that PGPASSFILE avoids the danger clearly. Probably, It is easy for the 
user who is malicious in the change to find it. I consider it to be a problem that 
the password is finally PlainText. Then, I made the proposal before. However,
It was indicated that deliberation is required again..... I want to consider a good 
method again. Is there any proposal with good someone?

Regards,
Hiroshi Saito