Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

From: "David F(dot) Skoll" <dfs(at)roaringpenguin(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: pgsql-hackers(at)postgresql(dot)org, bugtraq(at)securityfocus(dot)com
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Date: 2005-04-20 19:36:53
Message-ID: 4266AF55.1070401@roaringpenguin.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Stephen Frost wrote:

> The md5 hash which is generated for and stored in pg_shadow does not
> use a random salt but instead uses the username which can generally be
> determined ahead of time (especially for the 'postgres' superuser
> account).

I noted that this was a problem back in August, 2002:

http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php

Then, as now, the developers weren't very concerned.

Regards,

David.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2005-04-20 19:44:09 Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Previous Message Greg Stark 2005-04-20 18:31:38 Re: Wierd performance issue with 8.1cvs