Postgres Pro
Downloads
Home   >   mailing lists

Re: You're on SecurityFocus.com for the cleartext passwords. - Mailing list pgsql-hackers

From Vince Vielhaber
Subject Re: You're on SecurityFocus.com for the cleartext passwords.
Date
Msg-id Pine.BSF.4.21.0005052107150.13605-100000@paprika.michvhf.com
Whole thread Raw
In response to Re: You're on SecurityFocus.com for the cleartext passwords.  (The Hermit Hacker <scrappy@hub.org>)
Responses Re: You're on SecurityFocus.com for the cleartext passwords.  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
Tree view 
On Fri, 5 May 2000, The Hermit Hacker wrote:

> On Sat, 6 May 2000, Sverre H. Huseby wrote:
> 
> > Don't know if you know this already, but since april 23, you've been
> > on SecurityFocus.com for the cleartext passwords in pg_shadow:
> > 
> >     http://www.securityfocus.com/bid/1139
> > 
> > I know it has been discussed at least a couple of times before, but in
> > my opinion this is an issue that needs a solution.
> > 
> > The problem with cleartext passwords is not just that root, postgres
> > super user or anyone who has legally or illegally got access to the
> > system can see the passwords a user uses to log in to PostgreSQL.  The
> > problem lies in the well known fact that we tend to use the same
> > password several places, if not everywhere.  With all the passwords
> > needed these days, that is how it _has_ to be.
> > 
> > The first PostgreSQL based site that gets cracked, will make headlines
> > stating that passwords have got into the wrong hands.  Do we (or you)
> > want that?
> 
> You've lost me here ... the only person(s) that can get at those passwords
> are those that have compromised the system already.  Even if the passwords
> *weren't* in cleartext, there is nothing that stops me from downloading
> the data/* directory down to my computer and running pg_upgrade to "make
> it my own", removing the passwords ... 

Same defense I used when I responded to the BugTRAQ post.  Even tho I 
understand the possible ramifications of cleartext passwords, I still
stand by my previous comments, an admin needs to properly maintain and
protect the systems they're entrusted to.  However after reading about
the www.apache.org compromise details earlier today I'm of the opinion
now that we should look into encrypting the passwords.  I'm also of the
opinion that I should volunteer to at least help in the fixing of it.

Vince.
-- 
==========================================================================
Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net128K ISDN from $22.00/mo - 56K Dialup from
$16.00/moat Pop4 Networking       Online Campground Directory    http://www.camping-usa.com      Online Giftshop
Superstore   http://www.cloudninegifts.com
 
==========================================================================

pgsql-hackers by date:

Previous
From: Tatsuo Ishii
Date:
Subject: Re: pg_group_name_index corrupt?
Next
From: Vince Vielhaber
Date:
Subject: http://www.postgresql.org/doxlist.html (fwd)