> On Tue, Jun 26, 2001 at 10:18:37AM -0400, Tom Lane wrote:
> > though I would note that anyone who is able to examine the
> > contents of pg_shadow has *already* broken into your database
>
> note: the dbadmin may not be the system administrator, but the dbadmin,
> by default (with plaintext) can scoop an entire list of "useful" passwords,
> since many users (like it or not) use the same/similar passwords for
> multiple accounts.
I fully agree with this statement and think it is a valid concern.
Would it help here to introduce some poor man's encryption that is
reversible ? Then the admin would need to intentionally decrypt the
pg_shadow entry to see that plain password, and not see it if he just
accidentally select'ed * from pg_shadow.
If an admin intentionally wants to crack a password he will always
have means to do that (e.g. send well chosen salts).
Andreas