[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

To: Stephen Frost <sfrost@xxxxxxxxxxx>
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
From: "David F. Skoll" <dfs@xxxxxxxxxxxxxxxxxx>
Date: Wed, 20 Apr 2005 15:36:53 -0400

Stephen Frost wrote:

>   The md5 hash which is generated for and stored in pg_shadow does not
>   use a random salt but instead uses the username which can generally be
>   determined ahead of time (especially for the 'postgres' superuser
>   account).

I noted that this was a problem back in August, 2002:

http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php

Then, as now, the developers weren't very concerned.

Regards,

David.

Follow-Ups:
- Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
  - From: Stephen Frost

References:
- Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
  - From: Stephen Frost

Prev by Date: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Next by Date: cpio directory traversal vulnerability
Previous by thread: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Next by thread: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Index(es):
- Date
- Thread