Tom Lane wrote:
>>Many people use short and easy-to-guess passwords (remember we're not
>>talking about the superuser only here), so the dictionary attack can be
>>more effective than people think.
>
> And that responds to the speed argument how? I quite agree that a
> guessable password is risky, but putting in a random salt offers no
> real advantage if the salt has to be stored in the same place as the
> encrypted password.
Hm, I thought the purpose of salt is generally well understood? A
well-known string such as "postgres" is *not* a good salt at all.
Here's a couple of pages that hopefully can explain better:
http://en.wikipedia.org/wiki/Dictionary_attackhttp://en.wikipedia.org/wiki/Salt_(cryptography)
--
dave