Euler Taveira wrote: > On 21-02-2014 09:49, firoz e v wrote: > > Even though, there are ways to set the permissions on .pgpass, to disallow any access to world or group, the security rules of many organizations disallow to hold any kind of passwords, as plain text. > > > Is your goal hiding the password in .pgpass? You could add support to > accept md5... storage format as password.
How would that work? libpq needs the straight password to send to the server, not an encrypted one.
It looks like that is the way it is currently written, but it does not have to be that way, at least for "md5" rather than "password" authentication.
If you were to have a mechanism by which libpq can store an md5'd password (or whatever hash) and send that md5 to the server and have the server accept it to grant a connection, then the md5 has, in effect, become the unencrypted password which others can capture from the file, and you're back at square one.
The string in .pgpass would be enough for people to log into postgresql, true. But it would not work to log onto other things which share the same clear-text password but don't share the same salting mechanism.