| From: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
|---|---|
| To: | John R Pierce <pierce(at)hogranch(dot)com> |
| Cc: | "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Not storing MD5 hashed passwords |
| Date: | 2015-10-14 22:19:13 |
| Message-ID: | CAMkU=1ycOqV5rRHSeg9+qDjcEmuESozjQ-FcqTLv3jXZcOi7fw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, Oct 14, 2015 at 1:41 PM, John R Pierce <pierce(at)hogranch(dot)com> wrote:
> On 10/14/2015 1:31 PM, Quiroga, Damian wrote:
>
>
>
> Does postgres support other (stronger) hashing algorithms than MD5 to
> store the database passwords at disk?
>
> If not, is there any plan to move away from MD5?
>
>
There are proposals to do so, the most advanced one I know of is with
SCRAM. But I don't think any of them have turned into actual plans yet.
But you are not restricted to PostgreSQL's built in password authentication
methods, you can use its options for PAM, LDAP, RADIUS, GSSAPI, or SSPI, in
which case it doesn't store passwords at all but delegates that to someone
else.
if you can read the password database, you already have superuser access to
> the full database
>
Unless you've captured a backup tape, or scraped some bits off a
not-quite-degaussed-enough discarded hard drive,or any number of other
things that can get you an offline copy of some (or all) of the data, but
doesn't give you live access to the running database (until you hack the
passwords)
Cheers,
Jeff
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Quiroga, Damian | 2015-10-14 22:27:59 | Re: Not storing MD5 hashed passwords |
| Previous Message | Joshua D. Drake | 2015-10-14 21:49:48 | Re: Not storing MD5 hashed passwords |