Re: Hashing passwords (was Updated TODO list)
Bruce Momjian <maillist@candle.pha.pa.us>
From: Bruce Momjian <maillist@candle.pha.pa.us>
To: Gene Sokolov <hook@aktrad.ru>
Cc: pgsql-hackers@postgreSQL.org
Date: 1999-07-09T16:46:31Z
Lists: pgsql-hackers
[Charset iso-8859-1 unsupported, filtering to ASCII...] > From: Bruce Momjian <maillist@candle.pha.pa.us> > > > > ADMIN > > > > > > > How about: > > > * Not storing passwords in plain text > > > > But we don't, do we? I thougth they were hashed. > > maybe I miss something but it does not look so to me: > > [PostgreSQL 6.5.0 on i386-unknown-freebsd3.2, compiled by gcc 2.7.2.1] > > test1=> select * from pg_shadow; > usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd|valuntil > --------+--------+-----------+--------+--------+---------+------+----------- > ----------------- > postgres| 2000|t |t |t |t | |Sat Jan 31 > 09:00:00 2037 MSK > afmmgr | 2001|f |t |f |t |mgrpwd| > afmusr | 2002|f |t |f |t |usrpwd| > (3 rows) Yes, I remember now. We keep them in clear, because we send random salt-encrypted versions over the wire. Only Postgresql can read this table. -- Bruce Momjian | http://www.op.net/~candle maillist@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026