Re: Salt in encrypted password in pg_shadow - Mailing list pgsql-general

From Tom Lane
Subject Re: Salt in encrypted password in pg_shadow
Date
Msg-id 14724.1094611708@sss.pgh.pa.us
Whole thread Raw
In response to Re: Salt in encrypted password in pg_shadow  (David Garamond <lists@zara.6.isreserved.com>)
List pgsql-general
David Garamond <lists@zara.6.isreserved.com> writes:
> Hm, I thought the purpose of salt is generally well understood?

Apparently not.

The purpose of salting the encrypted passwords in pg_shadow is *not* to
protect them against attackers who have somehow managed to
illegitimately read pg_shadow.  (As I explained before, such attackers
are effectively superuser already, and so protecting the superuser
password from them is not nearly as interesting as all that.)  The
purpose is to prevent unscrupulous DBAs from deducing the cleartext
passwords being used by their users.  Since the users presumably are not
all named "postgres", the argument you are advancing is not relevant.

            regards, tom lane

pgsql-general by date:

Previous
From: Tom Lane
Date:
Subject: Re: Salt in encrypted password in pg_shadow
Next
From: Greg Stark
Date:
Subject: Re: Salt in encrypted password in pg_shadow