Re: [HACKERS] Updated TODO list

> > But we don't, do we?  I thougth they were hashed.
> 
> do
>  select * from pg_shadow;
> 
> I think that it was agreed that it is better when they can't bw snatched
> from 
> network than to have them hashed in db. 
> Using currently known technologies we must either either know the
> original password 
> and use challenge-response on net, or else use plaintext (or equivalent)
> on the wire.

Yes, I remember now, we hash them with random salt before sending them
to the client, and they are only visible to the postgres user.

--  Bruce Momjian                        |  http://www.op.net/~candle maillist@candle.pha.pa.us            |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026