Re: Hashing passwords (was Updated TODO list)

Bruce Momjian <maillist@candle.pha.pa.us>

From: Bruce Momjian <maillist@candle.pha.pa.us>
To: Gene Sokolov <hook@aktrad.ru>
Cc: pgsql-hackers@postgreSQL.org
Date: 1999-07-09T16:46:31Z
Lists: pgsql-hackers
[Charset iso-8859-1 unsupported, filtering to ASCII...]
> From: Bruce Momjian <maillist@candle.pha.pa.us>
> > > > ADMIN
> > > >
> > > How about:
> > > * Not storing passwords in plain text
> >
> > But we don't, do we?  I thougth they were hashed.
> 
> maybe I miss something but it does not look so to me:
> 
> [PostgreSQL 6.5.0 on i386-unknown-freebsd3.2, compiled by gcc 2.7.2.1]
> 
> test1=> select * from pg_shadow;
> usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd|valuntil
> --------+--------+-----------+--------+--------+---------+------+-----------
> -----------------
> postgres|    2000|t          |t       |t       |t        |      |Sat Jan 31
> 09:00:00 2037 MSK
> afmmgr  |    2001|f          |t       |f       |t        |mgrpwd|
> afmusr  |    2002|f          |t       |f       |t        |usrpwd|
> (3 rows)

Yes, I remember now.  We keep them in clear, because we send random
salt-encrypted versions over the wire.  Only Postgresql can read this
table.


-- 
  Bruce Momjian                        |  http://www.op.net/~candle
  maillist@candle.pha.pa.us            |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026