Re: Salt in encrypted password in pg_shadow
| От | Tom Lane |
|---|---|
| Тема | Re: Salt in encrypted password in pg_shadow |
| Дата | |
| Msg-id | 130.1094566779@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Salt in encrypted password in pg_shadow (David Garamond <lists@zara.6.isreserved.com>) |
| Ответы |
Re: Salt in encrypted password in pg_shadow
|
| Список | pgsql-general |
David Garamond <lists@zara.6.isreserved.com> writes:
> I read that the password hash in pg_shadow is salted with username. Is
> this still the case? If so, since probably 99% of all PostgreSQL has
> "postgres" as the superuser name, wouldn't it be better to use standard
> Unix/Apache MD5 hash instead?
How does that improve anything? If we add a random salt into it, we'd
have to store the salt in pg_shadow, so there wouldn't be any secrecy
added --- an attacker who can read pg_shadow could see the salt too.
(Actually, an attacker who can read pg_shadow is already superuser,
so it's not clear there's anything left to hide from him anyway.)
regards, tom lane
В списке pgsql-general по дате отправления: