RE: [HACKERS] Updated TODO list

I can "select * from pgshadow" as the database owner.

> -----Original Message-----
> From: owner-pgsql-hackers@postgreSQL.org
> [mailto:owner-pgsql-hackers@postgreSQL.org]On Behalf Of Bruce Momjian
> Sent: 09 July 1999 17:41
> To: Hannu Krosing
> Cc: Gene Sokolov; PostgreSQL-development
> Subject: Re: [HACKERS] Updated TODO list
> 
> 
> > > But we don't, do we?  I thougth they were hashed.
> > 
> > do
> >  select * from pg_shadow;
> > 
> > I think that it was agreed that it is better when they 
> can't bw snatched
> > from 
> > network than to have them hashed in db. 
> > Using currently known technologies we must either either know the
> > original password 
> > and use challenge-response on net, or else use plaintext 
> (or equivalent)
> > on the wire.
> 
> Yes, I remember now, we hash them with random salt before sending them
> to the client, and they are only visible to the postgres user.
> 
> -- 
>   Bruce Momjian                        |  http://www.op.net/~candle
>   maillist@candle.pha.pa.us            |  (610) 853-3000
>   +  If your life is a hard drive,     |  830 Blythe Avenue
>   +  Christ can be your backup.        |  Drexel Hill, 
> Pennsylvania 19026
> 
>