| From: | Lincoln Yeoh <lyeoh(at)pop(dot)jaring(dot)my> |
|---|---|
| To: | Jim Mercer <jim(at)reptiles(dot)org> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Vince Vielhaber <vev(at)michvhf(dot)com>, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Re: Encrypting pg_shadow passwords |
| Date: | 2001-06-17 15:05:52 |
| Message-ID: | 3.0.5.32.20010617230552.0152b760@192.228.128.13 |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
At 12:04 AM 6/16/01 -0400, Jim Mercer wrote:
>On Sat, Jun 16, 2001 at 11:20:30AM +0800, Lincoln Yeoh wrote:
>> If you need to use encryption then having _everything_ encrypted is a
>> better idea - SSL etc. Those >1GHz CPUs are handy ;).
>
>[ yes, i noted the smiley ]
>
>it is rather unfortunate to see the OSS community buying into the tenents
>that allowed microsoft to get world domination based on crap quality
>software.
>
>"hardware is cheap" is a falsehood.
My point is if you really need encryption, then your data should be
encrypted too, otherwise it seems a waste of time or more a "feel good" thing.
I find it hard to recommend a setup where just the authentication portion
is encrypted but all the data is left in plaintext for everyone to see. Why
go to all that trouble to _fool_ yourself, when you can either do it
securely (encrypt everything), or do it quick (no encryption).
I'd personally put "only authentication is encrypted" in the "crossing a
chasm in two leaps" category.
Yoda says it better ;).
Cheerio,
Link.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jim Mercer | 2001-06-17 15:28:16 | Re: Re: Re: Encrypting pg_shadow passwords |
| Previous Message | Alex Pilosov | 2001-06-17 14:02:49 | plperl direction |