Re: You're on SecurityFocus.com for the cleartext passwords.

> I see.  This protects the hash, which is an effective password, from being
> gotten by sniffers.  But a cracker who has stolen the hashes out of Postgres can
> still get in no matter what until you change the passwords.
> 
> I guess hashed password authentication is really not designed for use over an
> untrusted connection.  You get the hash becomes effective password problem. 
> Its very important that the hashed passwords stored in Postgres cannot be read
> by anyone except the Postgres superuser.
> 
> I'm I getting this right?

Good point.  Though they can't see the original password, they can have
a pgsql client use it to connect to the database.

Anyone have a fix for that one?

--  Bruce Momjian                        |  http://www.op.net/~candle pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026