Home > mailing lists

Re: Salt in encrypted password in pg_shadow - Mailing list pgsql-general

From	Tom Lane
Subject	Re: Salt in encrypted password in pg_shadow
Date	September 7, 2004 18:22:21
Msg-id	130.1094566779@sss.pgh.pa.us Whole thread Raw
In response to	Salt in encrypted password in pg_shadow (David Garamond <lists@zara.6.isreserved.com>)
Responses	Re: Salt in encrypted password in pg_shadow (David Garamond <lists@zara.6.isreserved.com>)
List	pgsql-general

Tree view

David Garamond <lists@zara.6.isreserved.com> writes:
> I read that the password hash in pg_shadow is salted with username. Is
> this still the case? If so, since probably 99% of all PostgreSQL has
> "postgres" as the superuser name, wouldn't it be better to use standard
> Unix/Apache MD5 hash instead?

How does that improve anything?  If we add a random salt into it, we'd
have to store the salt in pg_shadow, so there wouldn't be any secrecy
added --- an attacker who can read pg_shadow could see the salt too.

(Actually, an attacker who can read pg_shadow is already superuser,
so it's not clear there's anything left to hide from him anyway.)

            regards, tom lane

pgsql-general by date:

From: Oliver Elphick
Date: 07 September 2004, 18:20:32
Subject: Re: restricting non superuser from accessing other

From: Dan Sugalski
Date: 07 September 2004, 18:24:15
Subject: explain with placeholders?

Re: Salt in encrypted password in pg_shadow - Mailing list pgsql-general

Previous

Next