Re: [HACKERS] Updated TODO list

> Bruce Momjian <maillist@candle.pha.pa.us> writes:
> >> DB admin has no business knowing other's passwords. The current security
> >> scheme is seriously flawed.
> 
> > But it is the db passwords, not the Unix passwords.
> 
> I think the original point was that some people use the same or related
> passwords for psql as for their login password.
> 
> Nonetheless, since we have no equivalent of "passwd" that would let a
> db user change his db password for himself, it's a little silly to
> talk about hiding db passwords from the admin who puts them in.
> 
> If this is a concern, we'd need to add both encrypted storage of
> passwords and a remote-password-change feature.

Doing the random salt over the wire would still be a problem.

--  Bruce Momjian                        |  http://www.op.net/~candle maillist@candle.pha.pa.us            |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026