Hi, On 4 March 2015 at 12:03, Aaron Zauner <a...@azet.org> wrote: >> Uh, no, using 'password' is far worse, and uniformly so, than using md5. >> I have no idea why anyone would think it's better to store a cleartext >> version of your password in the pg_authid data (note that pg_shadow is >> only a view now, I replaced it long ago when I rewrote the user/group >> system to be role-based).
I was referring to the pg_hba.conf setting in my recommendation. Using "password" there does not change the stored hash, it only changes the network protocol. > Agreed - most enterprise or cloud deployment I've been involved with > use either PKIX or kerberos. This is a good security measure. > Replacing MD5 would be nice as well (scrypt, bcrypt?). But I guess a > debian bug report is the wrong place to discuss this. Agree that debian bug is wrong place to discuss fixing password hashing. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
