Re: PostgreSQL cleartext passwords

Jim Mercer <jim@reptiles.org> writes:
> On Thu, May 18, 2000 at 11:17:10AM -0700, David Duddleston wrote:
>> I'm currently evaluating PostreSQL, but this posting regarding passwords
>> being stored in cleartext has me a bit concerned. I tried to find more
>> information regarding this issue, but with no luck. Could you please share
>> you thoughts on this.

> by default, the passwords are stored in clear text.
> however, if you are configuring passwords, then likely you are going to need
> to change settings in pg_hba.conf.
> in there you can specify "crypt", and the system will expect that the passwds
> in pg_shadow are encrypted.

Not so!  "crypt" authentication provides for sending passwords in
crypted form during login (which is good if you're afraid of password-
sniffers, but then maybe you should be using SSL to protect your whole
session, not only the password).  But it doesn't change the contents
of pg_shadow.

David, you can find several discussions of this topic in the pg-hackers
archives, the latest just a couple of weeks ago.  The short answer is
that many of us think the risk has been drastically overstated by
complainers --- if someone has broken into your database enough to read
the contents of pg_shadow, then you've got worse problems than whether
he knows your password.  However, we did converge on what seemed to be a
good plan to change the implementation, and I think there is someone
working on it.

BTW, there is no particularly good reason to be storing passwords in
the Postgres database at all --- you can instead use Kerberos
authentication, or perhaps "ident" authentication (though ident is
only OK if logins are only accepted from machines whose sysadmins you
trust, since ident is easily faked on an insecure machine).

            regards, tom lane