Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)

does it matter if people are able to see the passwords?  I mean,
if the passwords are stored in a table (preferable encrypted), and
the table is only readable (select, insert, etc...) by the superuser
or those of equal grant rights), then who cares?

Dante

.------------------------------------------.-----------------------.
|  _ dlorenso@afai.com - D. Dante Lorenso  | Network Administrator |
| | |    ___  _ _  ___  __ _  ___  ___     |                       |
| | |__ / o \| '_|/ o_\|  \ |\_ _\/ o \    | Accounting Firms      |
| |____|\___/|_|  \___/|_|\_|\___|\___/    | Associated, inc.      |
| http://www.afai.com/~dlorenso            | http://www.afai.com/  |
'------------------------------------------'-----------------------'

-----Original Message-----
From: Brett McCormick <brett@work.chicken.org>
To: Jan Wieck <jwieck@debis.com>
Cc: Zeugswetter Andreas SARZ <Andreas.Zeugswetter@telecom.at>;
pgsql-hackers@hub.org <pgsql-hackers@hub.org>
Date: Thursday, February 19, 1998 12:53 PM
Subject: Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)


>
>Have we considering using the unix crypt function for passwords?  That
>way it wouldn't matter (as much) if people saw the password, and would
>still be (somewhat less) secure.
>
>On Thu, 19 February 1998, at 15:55:07, Jan Wieck wrote:
>
>>     Cracked!
>>
>>     create table get_passwds (usename name, passwd text);
>>     insert into get_passwds select usename, passwd from pg_user;
>>     select * from get_passwds;
>>     usename|passwd
>>     -------+------
>>     pgsql  |
>>     wieck  |test
>>     (2 rows)
>>
>>
>>
>> Sorry, Jan
>>
>> --
>>
>> #======================================================================#
>> # It's easier to get forgiveness for being wrong than for being right. #
>> # Let's break this rule - forgive me.                                  #
>> #======================================== jwieck@debis.com (Jan Wieck) #
>>
>>
>