Re: Re: Encrypting pg_shadow passwords

On Tue, Jun 26, 2001 at 10:18:37AM -0400, Tom Lane wrote:
> though I would note that anyone who is able to examine the
> contents of pg_shadow has *already* broken into your database

note: the dbadmin ay not bethe system administrator, but the dbadmin,
by default (with plaintext) can scoop an entirelist of "useful" passwords,
since many users (like it or not) use the same/similar passwords for
multiple accounts.

> There's no reason to spend any additional work on it.

hmmm.  what is the expected date of rollout of the new code with a backwards
compatible API (i don't mind recompiling), which has encrypted passwords
in pg_shadow?

-- 
[ Jim Mercer        jim@reptiles.org         +1 416 410-5633 ]
[ Now with more and longer words for your reading enjoyment. ]