Insecure passwords

doc/configuration-password-management.xml

@@ -13,10 +13,11 @@
   </indexterm>
 
   <para>
-    For security purposes it's desirable to protect database access using a password.
+    For security purposes, it's desirable to protect database access using a password.
   </para>
   <para>
-    PostgreSQL has three ways of providing a password:
+    PostgreSQL has three ways of providing a password (ordered from least to most secure
+    as viewed from the perspective of &repmgr;):
     <itemizedlist spacing="compact" mark="bullet">
 
        <listitem>
@@ -49,21 +50,22 @@
   </para>
   <note>
     <para>
-      Currently &repmgr; does not fully support use of the <option>password</option> option in the
+      Currently, &repmgr; does not fully support the use of the <option>password</option> option in the
       <option>conninfo</option> string.
     </para>
   </note>
   <para>
-    Exporting the password as an environment variable (<envar>PGPASSWORD</envar>) is considered
-    less insecure, but the PostgreSQL documentation explicitly recommends against doing this:
+    It is possible to export the password as an environment variable (<envar>PGPASSWORD</envar>),
+    but this is also considered insecure, and the PostgreSQL documentation explicitly recommends
+    against doing so:
    <blockquote>
      <attribution><ulink url="https://www.postgresql.org/docs/current/libpq-envars.html">Environment Variables</ulink></attribution>
      <para>
        <envar>PGPASSWORD</envar> behaves the same as the <option>password</option>
        connection parameter. Use of this environment variable
        is not recommended for security reasons, as some operating systems
        allow non-root users to see process environment variables via
-       <application>ps</application>; instead consider using a password file.
+       <application>ps</application>; instead, consider using a password file.
      </para>
     </blockquote>