Jowell's right, pg_hba.conf has localhost set to trust by default. The default copy of pg_hba.conf does indeed have a page of documentation describing how it works. You can find it in /usr/local/pgsql/data if you've built it from source using the default makefile.
