On Sun, 2012-12-16 at 17:24 +0100, Peter Bex wrote:
> On Sun, Dec 16, 2012 at 04:54:30PM +0100, Murray Cumming wrote:
> > libpq lets me open a connection by specifying a password:
> > http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS
> >
> > Is there any way to specify a hash of the password when connecting, instead of
> > providing the password itself?
>
> What's the use of that?
[snip]
I would not be storing the plaintext password anywhere. That makes it
harder for someone get the plaintext password if they break into the
server, and therefore harder for someone to use that password to break
into another account if the user has used the same password.
There have been plenty of high profile cases recently of password
databases being stolen, with those passwords being in plaintext, or
hashed without a salt, making user accounts on other systems vulnerable.
I'd like to avoid making the same embarrassing mistake.
murrayc@murrayc.com
www.murrayc.com
www.openismus.com
