Re: Hashing passwords (was Updated TODO list)

[Charset iso-8859-1 unsupported, filtering to ASCII...]
> From: Bruce Momjian <maillist@candle.pha.pa.us>
> > > > ADMIN
> > > >
> > > How about:
> > > * Not storing passwords in plain text
> >
> > But we don't, do we?  I thougth they were hashed.
> 
> maybe I miss something but it does not look so to me:
> 
> [PostgreSQL 6.5.0 on i386-unknown-freebsd3.2, compiled by gcc 2.7.2.1]
> 
> test1=> select * from pg_shadow;
> usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd|valuntil
> --------+--------+-----------+--------+--------+---------+------+-----------
> -----------------
> postgres|    2000|t          |t       |t       |t        |      |Sat Jan 31
> 09:00:00 2037 MSK
> afmmgr  |    2001|f          |t       |f       |t        |mgrpwd|
> afmusr  |    2002|f          |t       |f       |t        |usrpwd|
> (3 rows)

Yes, I remember now.  We keep them in clear, because we send random
salt-encrypted versions over the wire.  Only Postgresql can read this
table.


--  Bruce Momjian                        |  http://www.op.net/~candle maillist@candle.pha.pa.us            |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026