Re: [HACKERS] Updated TODO list

Bruce Momjian <maillist@candle.pha.pa.us>

From: Bruce Momjian <maillist@candle.pha.pa.us>
To: Hannu Krosing <hannu@trust.ee>
Cc: Gene Sokolov <hook@aktrad.ru>, PostgreSQL-development <pgsql-hackers@postgreSQL.org>
Date: 1999-07-09T16:40:45Z
Lists: pgsql-hackers
> > But we don't, do we?  I thougth they were hashed.
> 
> do
>  select * from pg_shadow;
> 
> I think that it was agreed that it is better when they can't bw snatched
> from 
> network than to have them hashed in db. 
> Using currently known technologies we must either either know the
> original password 
> and use challenge-response on net, or else use plaintext (or equivalent)
> on the wire.

Yes, I remember now, we hash them with random salt before sending them
to the client, and they are only visible to the postgres user.

-- 
  Bruce Momjian                        |  http://www.op.net/~candle
  maillist@candle.pha.pa.us            |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026