Re: You're on SecurityFocus.com for the cleartext passwords.

On Sat, 6 May 2000, Sverre H. Huseby wrote:

> Don't know if you know this already, but since april 23, you've been
> on SecurityFocus.com for the cleartext passwords in pg_shadow:
> 
>     http://www.securityfocus.com/bid/1139
> 
> I know it has been discussed at least a couple of times before, but in
> my opinion this is an issue that needs a solution.
> 
> The problem with cleartext passwords is not just that root, postgres
> super user or anyone who has legally or illegally got access to the
> system can see the passwords a user uses to log in to PostgreSQL.  The
> problem lies in the well known fact that we tend to use the same
> password several places, if not everywhere.  With all the passwords
> needed these days, that is how it _has_ to be.
> 
> The first PostgreSQL based site that gets cracked, will make headlines
> stating that passwords have got into the wrong hands.  Do we (or you)
> want that?

You've lost me here ... the only person(s) that can get at those passwords
are those that have compromised the system already.  Even if the passwords
*weren't* in cleartext, there is nothing that stops me from downloading
the data/* directory down to my computer and running pg_upgrade to "make
it my own", removing the passwords ... 

Marc G. Fournier                   ICQ#7615664               IRC Nick: Scrappy
Systems Administrator @ hub.org 
primary: scrappy@hub.org           secondary: scrappy@{freebsd|postgresql}.org