Bruce Momjian wrote: >>BTW, one could also ask exactly what threat model Stephen is concerned >>about. ISTM anyone who can obtain the contents of pg_shadow has >>*already* broken your database security. > That's what I told him. I think his concern about pre-computed hashes > is the only real issue, and give 'postgres' is usually the super-user, I > can see someone pre-computing md5 postgres hashes and doing quick > comparisons, perhaps as a root kit so you don't have to do the hashing > yourself. I personally don't find that very compelling either.
The issue is that you should try your best to prevent dictionary attacks, because often people use the same passwords for different things. I know they shouldn't, but sometimes they do, so any measures you can take to make a dictionary attack harder are worth doing, especially when the random salt is so simple to implement. -- David. ---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend