Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)

does it matter if people are able to see the passwords? I mean,
if the passwords are stored in a table (preferable encrypted), and
the table is only readable (select, insert, etc...) by the superuser
or those of equal grant rights), then who cares?

Dante

.------------------------------------------.-----------------------.
| _ dlorenso(at)afai(dot)com - D. Dante Lorenso | Network Administrator |
| | | ___ _ _ ___ __ _ ___ ___ | |
| | |__ / o \| '_|/ o_\| \ |\_ _\/ o \ | Accounting Firms |
| |____|\___/|_| \___/|_|\_|\___|\___/ | Associated, inc. |
| http://www.afai.com/~dlorenso | http://www.afai.com/ |
'------------------------------------------'-----------------------'

-----Original Message-----
From: Brett McCormick <brett(at)work(dot)chicken(dot)org>
To: Jan Wieck <jwieck(at)debis(dot)com>
Cc: Zeugswetter Andreas SARZ <Andreas(dot)Zeugswetter(at)telecom(dot)at>;
pgsql-hackers(at)hub(dot)org <pgsql-hackers(at)hub(dot)org>
Date: Thursday, February 19, 1998 12:53 PM
Subject: Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)

>
>Have we considering using the unix crypt function for passwords? That
>way it wouldn't matter (as much) if people saw the password, and would
>still be (somewhat less) secure.
>
>On Thu, 19 February 1998, at 15:55:07, Jan Wieck wrote:
>
>> Cracked!
>>
>> create table get_passwds (usename name, passwd text);
>> insert into get_passwds select usename, passwd from pg_user;
>> select * from get_passwds;
>> usename|passwd
>> -------+------
>> pgsql |
>> wieck |test
>> (2 rows)
>>
>>
>>
>> Sorry, Jan
>>
>> --
>>
>> #======================================================================#
>> # It's easier to get forgiveness for being wrong than for being right. #
>> # Let's break this rule - forgive me. #
>> #======================================== jwieck(at)debis(dot)com (Jan Wieck) #
>>
>>
>