>> I see. This protects the hash, which is an effective password, from
>> being gotten by sniffers. But a cracker who has stolen the hashes
>> out of Postgres can still get in no matter what until you change the
>> passwords.
What's your point? Stealing a password is stealing a password,
whatever form it's represented in. More to the point, a cracker
who can get to the stored passwords in Postgres has already
thoroughly broken the database's security; he doesn't need any
more access to the db than he's already got.
>> Its very important that the hashed passwords stored in Postgres
>> cannot be read by anyone except the Postgres superuser.
No different from the current system, where the cleartext passwords
mustn't be readable by anyone except the superuser, either. That's
not the objective of this exercise. The objective is to ensure that
getting hold of the (hashed) Postgres passwords doesn't let you into
*other* systems that a database user might have used the same
(cleartext) password for. We're trying to provide some security
for other people's barns in the event that our own horses have already
been stolen.
regards, tom lane