* David F. Skoll (dfs@xxxxxxxxxxxxxxxxxx) wrote: > Stephen Frost wrote: > > The md5 hash which is generated for and stored in pg_shadow does not > > use a random salt but instead uses the username which can generally be > > determined ahead of time (especially for the 'postgres' superuser > > account). > > I noted that this was a problem back in August, 2002: > > http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php > > Then, as now, the developers weren't very concerned. I have some hopes that pointing out the rather large problem with the md5 authentication mechanism in pg_hba.conf will lead them to discourage it's use and thus reduce the occourances of the salt being made available to the user giving more weight to the usefullness of having it be a random salt. Additionally, it's been a few years, perhaps viewpoints have changed. Stephen
Attachment:
signature.asc
Description: Digital signature