Why Database Passwords Are High-Value Targets
A compromised database password gives an attacker direct access to your application data — user records, payment information, emails, everything. Unlike an API endpoint, there is no rate limiting, no WAF, no application-level access control. It is raw, unrestricted access.
Database breaches are consistently among the most expensive security incidents. They also tend to go undetected for months because direct database access often bypasses application-level logging.
Requirements by Database Engine
Different databases have different password constraints and security features. Here is what you need to know for the most common engines:
| Database | Max Password Length | Character Restrictions | Notes |
|---|---|---|---|
| PostgreSQL | 1000 chars | None (any UTF-8) | Supports SCRAM-SHA-256 authentication |
| MySQL | Unlimited | None | Use caching_sha2_password plugin (default in 8.x) |
| MongoDB | Unlimited | Avoid colons in SCRAM auth | Enable SCRAM-SHA-256, disable legacy auth |
| Redis | 512 chars | None | Use ACL system (Redis 6+) instead of single requirepass |
Pro tip: Avoid special characters that may cause issues in connection strings. Characters like @, :, /, and % often need URL encoding in connection URIs. Stick to alphanumeric plus safe symbols like-, _, ., and !.
Generate a Database Password
Use the generator below to create a strong database password. It is preset to 32 characters with alphanumeric characters only — safe for connection strings without encoding issues. Everything runs locally in your browser.
Generate a database password →
How to Store Database Passwords
Database credentials should never be hardcoded in your application or committed to version control. Here are the approaches, ranked from best to acceptable:
1. Secrets Manager (Best)
Use a dedicated secrets manager like AWS Secrets Manager, Google Cloud Secret Manager, HashiCorp Vault, or Doppler. These tools encrypt credentials at rest, provide audit logs, support automatic rotation, and integrate with your deployment pipeline.
2. Environment Variables
Store credentials in environment variables set by your deployment system (Kubernetes secrets, Docker secrets, platform env vars). Better than config files, but no audit trail and rotation requires redeployment.
3. Encrypted Config Files
Tools like SOPS, git-crypt, or Ansible Vault encrypt config files before they are committed. The decryption key is managed separately. Acceptable for smaller teams, but harder to rotate and audit.
Never do this: Do not store database passwords in .env files committed to git, in Slack messages, in shared Google Docs, or in deployment scripts. These are the most common sources of database credential leaks.
Sharing Database Credentials with Your Team
There are legitimate reasons to share a database password: onboarding a new developer, granting access to a DBA, or sharing staging credentials with a contractor. Here is the safe way to do it:
- For one-time sharing: Use an encrypted one-time link. Paste the connection string, send the link, and it self-destructs after reading. The server never sees the plaintext.
- For ongoing access: Add the person to your secrets manager with their own credentials. Never share a single password across the team.
- For contractors: Create a separate database user with limited permissions. Share the credentials via one-time link and revoke the user when the project ends.
Password Rotation Strategy
Rotating database passwords is critical but often neglected because it is disruptive. Here is a practical rotation strategy:
- Automate it. If your secrets manager supports it, enable automatic rotation (AWS Secrets Manager does this natively for RDS).
- Use dual credentials. Create two database users. Rotate one while the other is active. Switch traffic, then rotate the other. Zero downtime.
- Rotate on events. Always rotate when a team member leaves, after a security incident, or when credentials may have been exposed.
- Set a schedule. At minimum, rotate every 90 days. For production databases with sensitive data, monthly is better.
Connection String Security Checklist
- Always use TLS/SSL for database connections —
sslmode=requirein PostgreSQL,--ssl-mode=REQUIREDin MySQL - Use connection pooling (PgBouncer, ProxySQL) to limit direct database exposure
- Restrict database access to specific IP ranges or VPC/VPN
- Use separate credentials per service and environment (dev, staging, prod)
- Log all connection attempts and set up alerts for unknown IPs
- Disable default accounts (postgres, root, admin) and create named users
Need to share database credentials?
Create an encrypted one-time link that self-destructs after reading. No signup, no tracking, end-to-end encrypted.
Create a secure link