[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4266AF55.1070401@roaringpenguin.com>
Date: Wed, 20 Apr 2005 15:36:53 -0400
From: "David F. Skoll" <dfs@...ringpenguin.com>
To: Stephen Frost <sfrost@...wman.net>
Cc: pgsql-hackers@...tgresql.org, bugtraq@...urityfocus.com
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Stephen Frost wrote:
> The md5 hash which is generated for and stored in pg_shadow does not
> use a random salt but instead uses the username which can generally be
> determined ahead of time (especially for the 'postgres' superuser
> account).
I noted that this was a problem back in August, 2002:
http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php
Then, as now, the developers weren't very concerned.
Regards,
David.
---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend
Powered by blists - more mailing lists