> That's the whole point of the discussion- the way Postgres's > pg_shadow stuff works the salt is known and *because* of that > it might as well not exist since it means that you can > pre-compute the keyspace. I see your point. I don't know anything about postgres. I don't use it. But if someone can get to the pg_hba.conf file (I assume (hope) it is read/write by the process owner or root only?) then your screwed anyway. So while there may be better ways to store and use passwords, perhaps in light of the root of the problem (getting to the file) the fore-knowledge of a salt isn't that important. If an admin created a "strong" password (whatever that means), then pre-computation won't help an attacker get it. At worst for the admon, pre-computation will shorten the attackers time to know if the password can be broken or not. At best it might slow them down a bit (but not really). I dunno.
