| From: | Vince Vielhaber <vev(at)michvhf(dot)com> |
|---|---|
| To: | The Hermit Hacker <scrappy(at)hub(dot)org> |
| Cc: | "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Date: | 2000-05-06 01:12:56 |
| Message-ID: | Pine.BSF.4.21.0005052107150.13605-100000@paprika.michvhf.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
On Fri, 5 May 2000, The Hermit Hacker wrote:
> On Sat, 6 May 2000, Sverre H. Huseby wrote:
>
> > Don't know if you know this already, but since april 23, you've been
> > on SecurityFocus.com for the cleartext passwords in pg_shadow:
> >
> > http://www.securityfocus.com/bid/1139
> >
> > I know it has been discussed at least a couple of times before, but in
> > my opinion this is an issue that needs a solution.
> >
> > The problem with cleartext passwords is not just that root, postgres
> > super user or anyone who has legally or illegally got access to the
> > system can see the passwords a user uses to log in to PostgreSQL. The
> > problem lies in the well known fact that we tend to use the same
> > password several places, if not everywhere. With all the passwords
> > needed these days, that is how it _has_ to be.
> >
> > The first PostgreSQL based site that gets cracked, will make headlines
> > stating that passwords have got into the wrong hands. Do we (or you)
> > want that?
>
> You've lost me here ... the only person(s) that can get at those passwords
> are those that have compromised the system already. Even if the passwords
> *weren't* in cleartext, there is nothing that stops me from downloading
> the data/* directory down to my computer and running pg_upgrade to "make
> it my own", removing the passwords ...
Same defense I used when I responded to the BugTRAQ post. Even tho I
understand the possible ramifications of cleartext passwords, I still
stand by my previous comments, an admin needs to properly maintain and
protect the systems they're entrusted to. However after reading about
the www.apache.org compromise details earlier today I'm of the opinion
now that we should look into encrypting the passwords. I'm also of the
opinion that I should volunteer to at least help in the fixing of it.
Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Terry Jarrard | 2000-05-06 01:38:24 | Re: What do you think? |
| Previous Message | John Sanabria | 2000-05-06 00:51:37 | Please remove me from this list.... |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Vince Vielhaber | 2000-05-06 01:50:38 | http://www.postgresql.org/doxlist.html (fwd) |
| Previous Message | Tatsuo Ishii | 2000-05-06 01:01:02 | Re: pg_group_name_index corrupt? |