marcin mank <marcin(dot)mank(at)gmail(dot)com> writes:
>> The case that ENCRYPTED
>> protects against is database superusers finding out other users'
>> original passwords, which is a security issue to the extent that those
>> users have used the same/similar passwords for other systems.
> I just want to note that md5 is not much of a protection against this
> case these days. Take a look at this:
> It takes about 32 hours to brute force all passwords from [a-zA-Z0-9]
> of up to 8 chars in length.
Yeah, but that will find you a password that hashes to the same thing.
Not necessarily the same password. It'll get you into the Postgres
DB just fine, which you don't care about because you're already a
superuser there. It won't necessarily get you into the assumed
regards, tom lane
In response to
pgsql-hackers by date
|Next:||From: Itagaki Takahiro||Date: 2009-09-29 01:11:19|
|Subject: Re: Buffer usage in EXPLAIN and pg_stat_statements (review)|
|Previous:||From: Cathy Mullican||Date: 2009-09-28 23:25:26|
|Subject: Re: [PATCH] DefaultACLs|