Publicly Visible Database Password on Github an issue?

Question

I'm running an express server and I am very new to databases. If I have a public repo on Github of my express server and have this line of code publicly visible in one of the files:

const pool = new Pool({
  user: "postgres",
  host: "localhost",
  database: "postgres",
  password: "dummypassword",
  post: 5432
});

Can people somehow connect to my PSQL database using my 'dummypassword' and mess up people's accounts that are stored in that database? I am planning to deploy it to DigitalOcean and I am wondering if this could be an issue somehow later down the road.

Thanks :)

Answer 1

If dummypassword is your true database password, then yes, this is absolutely a problem. You would literally be giving hackers instructions on exactly how to connect to your database! Don't do this.

Look into using dotenv on npm. This will allow you to create a .env file that can hold this precious information on a server outside of version control i.e. Github.

https://www.npmjs.com/package/dotenv

To expound on this, I would always err on the side of caution when dealing with database credentials. Say someone did get access to this information but that wasn't the actual database password, but the rest of the credentials were. The intruder now knows what kind of database you are running, where it's located, what port, and the username. All they need is the password in order to gain access to your entire production database and all of your users information.

Answer 2

I'm assuming you are saying; can someone connect to my production database ONCE you have changed the password for your production database?

If so then there is nothing in your example that isn't default so the answer is no.

If you're saying that "dummypassword" will be in production then yes that would NOT be a good idea, but I'm guessing you're not saying that.