marcin mank <marcin.m...@gmail.com> writes: >> The case that ENCRYPTED >> protects against is database superusers finding out other users' >> original passwords, which is a security issue to the extent that those >> users have used the same/similar passwords for other systems.
> I just want to note that md5 is not much of a protection against this > case these days. Take a look at this: > http://www.golubev.com/hashgpu.htm > It takes about 32 hours to brute force all passwords from [a-zA-Z0-9] > of up to 8 chars in length. Yeah, but that will find you a password that hashes to the same thing. Not necessarily the same password. It'll get you into the Postgres DB just fine, which you don't care about because you're already a superuser there. It won't necessarily get you into the assumed third-party systems. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
