| From: | Tony Caduto <tony_caduto(at)amsoftwaredesign(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Password issue revisited |
| Date: | 2007-02-20 18:57:14 |
| Message-ID: | 45DB448A.3040308@amsoftwaredesign.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs pgsql-general |
Magnus Hagander wrote:
> Are we sure we want to do this? (Sorry, didn't notice this thread last
> time)
>
> The default on *all* windows versions since NT 4.0 (which is when the
> directory we use was added) will put this file in a protected directory.
>
Is there truly such a thing on a windows PC? All it takes is one Virus
or Malware to gain access to the PC and anything stored in the
user profile is easy picking.
The virus and malware creators may not know about the pg_pass file now,
but they will eventually.
What about having a wallet type system where the user can create a pass
phrase to protect a generated key that would get
loaded once per session. That is how KDE allows users to store passwords.
I work at a large financial institution and if the auditors knew about
the pg_pass being plain text, they would pretty much ban
it's use.
Anytime a password is sitting on a non encrypted file system, regardless
of it's permissions it is potentially at risk.
--
Tony
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2007-02-20 19:04:04 | Re: Password issue revisited |
| Previous Message | Bruce Momjian | 2007-02-20 18:15:44 | Re: [GENERAL] Password issue revisited |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Karl O. Pinc | 2007-02-20 19:00:39 | Views: having a rule call a function vs. using a before trigger |
| Previous Message | Bruce Momjian | 2007-02-20 18:15:44 | Re: [GENERAL] Password issue revisited |