Postgres: no password / trusted host configuration

Using plaintext password authentication for your postgres connections poses unneeded risk. It is vulnerable to sniffing, tampering, and hijacking. Not only that, a hacker gaining access to a vast array of machines can perform elevation quite easily (for a famous example, look at the Equifax case).

From the documentation:

"The method password sends the password in clear-text and is therefore vulnerable to password “sniffing” attacks. It should always be avoided if possible. If the connection is protected by SSL encryption then password can be used safely, though. (Though SSL certificate authentication might be a better choice if one is depending on using SSL)."

Problem

In pg_hba.conf, locate trust:

host	all	192.168.1.10	255.255.255.255	password

Fix

In pg_hba.conf, use some other method of trust:

host	all	192.168.1.10	255.255.255.255	scram-sha-256

scram-sha-256 is currently the most secure option to use.

See