Stored passwords
If client users use the nzpassword command to store database user passwords on a client system, they can supply only a database user name and host on the command line. Users can also continue to enter a password on the command line if displaying clear-text passwords is not a concern for security.
If you supply a password on the command line, it takes precedence over the environment variable NZ_PASSWORD. If the environment variable is not set, the system checks the locally stored password file. If there is no password in this file and you are using the nzsql command, the system prompts you for a password, otherwise the authentication request fails.
In all cases, using the -pw option on the command line, using the NZ_PASSWORD environment variable, or using the locally stored password that is stored through the nzpassword command. Netezza Performance Server compares the password against the entry in the system catalog for local authentication or against the LDAP or KERBEROS account definition. The authentication protocol is the same, and Netezza Performance Server never sends clear-text passwords over the network.
In release 6.0.x, the encryption that is used for locally encrypted passwords changed. In previous releases, Netezza Performance Server used the Blowfish encryption routines; release 6.0 now uses the Advanced Encryption Standard AES-256 standard. When you cache a password by using a release 6.0 client, the password is saved in AES-256 format unless there is an existing password file in Blowfish format. In that case, new stored passwords are saved in Blowfish format.
If you upgrade to a release 6.0.x or later client, the client can support passwords in either the Blowfish format or the AES-256 format. If you want to convert your existing password file to the AES-256 encryption format, you can use the nzpassword resetkey command to update the file. If you want to convert your password file from the AES-256 format to the Blowfish format, use the nzpassword resetkey -none command.