Generate Database Password Password

Avoid single quotes ('), double quotes ("), backslashes (\), semicolons (;), and the at symbol (@) in database passwords. These characters have special meaning in SQL, connection strings, and configuration file formats. A password containing these can break your application's database connection without any clear error message.

Use environment variables, a dedicated secrets manager (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault), or encrypted configuration files. Never hardcode database passwords in source code or commit them to version control. In Docker environments, use Docker secrets or mount encrypted files rather than passing passwords as build arguments.

Yes. Following the principle of least privilege, create separate database users with different passwords for different access levels. Your application's read-only reporting queries should use a restricted user, while schema migrations use a more privileged one. This limits the damage if any single credential is compromised.

Rotate database passwords every 90 days or whenever a team member with access leaves the organization. Automate rotation using your secrets manager's built-in rotation feature to avoid downtime. Plan for zero-downtime rotation by supporting dual credentials during the transition period between old and new passwords.