Don't know if you know this already, but since april 23, you've been
on SecurityFocus.com for the cleartext passwords in pg_shadow:
http://www.securityfocus.com/bid/1139
I know it has been discussed at least a couple of times before, but in
my opinion this is an issue that needs a solution.
The problem with cleartext passwords is not just that root, postgres
super user or anyone who has legally or illegally got access to the
system can see the passwords a user uses to log in to PostgreSQL. The
problem lies in the well known fact that we tend to use the same
password several places, if not everywhere. With all the passwords
needed these days, that is how it _has_ to be.
The first PostgreSQL based site that gets cracked, will make headlines
stating that passwords have got into the wrong hands. Do we (or you)
want that?
Sverre.
--
<URL:mailto:sverrehu@online.no>
<URL:http://home.sol.no/~sverrehu/> Echelon bait: semtex, bin Laden,
plutonium,North Korea, nuclear bomb
