Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Andrew Dunstan <andrew(at)dunslane(dot)net>, Paul Tillotson <pntil(at)shentel(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Date: 2005-04-21 16:13:47
Message-ID: 16115.1114100027@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Stephen Frost <sfrost(at)snowman(dot)net> writes:
> I'd also like to point out that this is *only* an issue for the 'md5'
> authentication mechanism in pg_hba.conf, which I think should be=20
> discouraged in favor of 'password' and SSL/IPSEC.

This is still utter nonsense. How can md5 be less secure than storing
your password in the clear?

Whether you want the extra security of IPSEC is an orthogonal discussion
really; if your connection goes over an insecure network then you most
likely need it in order to hide your data, never mind your password.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Joshua D. Drake 2005-04-21 16:50:31 Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Previous Message Stephen Frost 2005-04-21 15:44:31 Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords