marcin mank <marcin.mank@gmail.com> writes:
>> The case that ENCRYPTED
>> protects against is database superusers finding out other users'
>> original passwords, which is a security issue to the extent that those
>> users have used the same/similar passwords for other systems.
> I just want to note that md5 is not much of a protection against this
> case these days. Take a look at this:
> http://www.golubev.com/hashgpu.htm
> It takes about 32 hours to brute force all passwords from [a-zA-Z0-9]
> of up to 8 chars in length.
Yeah, but that will find you a password that hashes to the same thing.
Not necessarily the same password. It'll get you into the Postgres
DB just fine, which you don't care about because you're already a
superuser there. It won't necessarily get you into the assumed
third-party systems.
regards, tom lane