Re: Salt in encrypted password in pg_shadow - Mailing list pgsql-general

From Tom Lane
Subject Re: Salt in encrypted password in pg_shadow
Date
Msg-id 130.1094566779@sss.pgh.pa.us
Whole thread Raw
In response to Salt in encrypted password in pg_shadow  (David Garamond <lists@zara.6.isreserved.com>)
Responses Re: Salt in encrypted password in pg_shadow
List pgsql-general
David Garamond <lists@zara.6.isreserved.com> writes:
> I read that the password hash in pg_shadow is salted with username. Is
> this still the case? If so, since probably 99% of all PostgreSQL has
> "postgres" as the superuser name, wouldn't it be better to use standard
> Unix/Apache MD5 hash instead?

How does that improve anything?  If we add a random salt into it, we'd
have to store the salt in pg_shadow, so there wouldn't be any secrecy
added --- an attacker who can read pg_shadow could see the salt too.

(Actually, an attacker who can read pg_shadow is already superuser,
so it's not clear there's anything left to hide from him anyway.)

            regards, tom lane

pgsql-general by date:

Previous
From: Oliver Elphick
Date:
Subject: Re: restricting non superuser from accessing other
Next
From: Dan Sugalski
Date:
Subject: explain with placeholders?