I’ve setup my Django settings.py in such a way that I can access the Postgres instance in the cloud containing my production data in my local development environment by running this command in my local venv shell and in this format:
export DATABASE_URL=’postgres://USER:PASSWORD@HOST:PORT/NAME’`
It’s a very helpful feature. I love it.
As an example, here is a Postgres instance which contains placeholder content:
export DATABASE_URL=‘postgres://shzxdfrkdiilyw:37ec5eee52abf4a772454d55e6a71779c05b6720622e945cad54f4fbf7e6f84d@ec2-54-84-98-18.compute-1.amazonaws.com:5432/dcjnf0h34cfsc5’
You would think that posting the above URI on a public forum like this one is terrible security practices however Heroku gives admins a tool to generate a new Postgres username/password combo. Here is the command:
(venv) $ heroku pg:credentials:rotate
Before starting this thread, I invoked it. So the hostname, port, and name remain the same, but the new Postgres user/password is completely different.
If an attacker discovered my Postgres username, to brute force a password that is 64 characters long and a 36 charset size, this has 250 bits of entropy making it impossible to crack with current silicon.
Here is my question for all of you now: Since the username/pass is now different, for confirmation and verification, my site is still secure and my data is protected, is this correct?