Does Discourse have a strong randomized default database password?

I am hosting my discourse forum publicly over at https://2k2k.org and https://blleaks.org and i am planning to open it up to UK users too in regards to all the UKs concerning privacy rules and want to open it up so they can be free on the forum, however, since my site is also a grey hat forum tailored towards hackers, i want to ask if the default database password is secure and long and random from all other discourse databases, i do not want a major leak to happen that affects all discourse platforms, so i wanted to ask if the database user for discourse is actually strong and if not could receive guidance on how to secure the platform better. Including that, my site is behind cloudflare and is proxied so i dont know if that helps in any way.

Cheers all

The default install’s authentication method to postgres does not use a password, it uses peer authentication.

3 Likes

The standalone docker setup does connect via a unix socket to the database. But it does configure the server to listen on any interface. It will configure the network connection to use scram-md5 (instead of the more modern scram-sha-256). PostgreSQL’s scram-md5 is still considered to be safe, but it’s better to use scram-sha-256 but that is a breaking change (see linked article). No users with credentials are created though.

If you are exposing the database port in the container, and you are adding users with credentials, then you should ensure not to expose the postgresql port to the internet, and to use long (generated) passwords.