I completely agree with Louis. It's not just the hacker: there is no need
for sysadmin to know passwords as well. I believe the security scheme where
sysadmin or anyone has to take action in order *not* to see passwords is
flawed.
I think the following solution would be satisfactory:
Store SHA(password) XOR SHA(mastervalue [+] uid). In case it's difficult to
alter the wire protocol, store password XOR SHA(mastervalue [+] uid). Either
way no one can get useful info without knowing the master value. Even simple
password XOR <mastervalue> would be helpful.
Gene Sokolov.
From: Louis Bertrand <louis@bertrandtech.on.ca>
> Why should anyone be able to read cleartext passwords, or even need to?
> People have a habit of reusing the same password for logins elsewhere.
> Hash the password as it's entered and compare hashes. This way, even if
> the password file (PostgreSQL's or the system's) is compromised, the
> attacker gains no extra information.
>
> > > From: Bruce Momjian <maillist@candle.pha.pa.us>
> > Yes, I remember now. We keep them in clear, because we send random
> > salt-encrypted versions over the wire. Only Postgresql can read this
> > table.
