A post about Authentication

At Rdbhost, there are passwords, and there are 'authcodes'.  What is the difference?

Passwords are about 30 characters or less, memorable, and submitted with an email address as a login.  The email/password login process is back-stopped by failure counters, that inhibit a brute force attack on the password by requiring increasing delays between tries.

Authcodes are 50 characters, base-64 character set, that are randomly generated and assigned to the account.  Machine requests to the database are submitted with a role name and an authcode.  There is a failure counting here, too, but for performance reasons there are multiple counters distributed around and they don't max out simultaneously, and the tolerated failure count for each is fairly high.  The authcodes are fairly resistant to 'social engineering' type attacks, as nobody chose them and there is little reason to remember them.  They get embedded in code, and forgotten.

Two roles have authcodes, and two do not.  Other than the super role, only the auth role has an authcode.

The auth role is different from the super role in that it can only run white-listed queries, and a given white-listed query can be restricted to only run for that particular role.  Since the auth role requires authentication, you can restrict its use to certain prequalified users, and give the role more Postgres privileges and its white-listed queries more power.

There has always been a way to change passwords, and now there is a way to reset authcodes, meaning to replace one with a new random authcode.

https://www.rdbhost.com/roles.html