Consider someone who creates a long list of:
MD5( "postgres" + "aaaaaaaa" ) MD5( "postgres" + "aaaaaaab" ) MD5( "postgres" + "aaaaaaac" ) ...
Now if he has access to other people's pg_shadow, he can compare the hashes with his dictionary. Replacing "postgres" with a random salt defeats this dictionary attack (and thus he will have to resort to brute force).
But surely you have to store the random salt in pg_shadow too? Or am I missing something?
-- Richard Huxton Archonet Ltd
---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives?
http://archives.postgresql.org
