Tony Caduto wrote: > Magnus Hagander wrote: >> Are we sure we want to do this? (Sorry, didn't notice this thread last >> time) >> >> The default on *all* windows versions since NT 4.0 (which is when the >> directory we use was added) will put this file in a protected directory. >> > Is there truly such a thing on a windows PC? All it takes is one Virus > or Malware to gain access to the PC and anything stored in the > user profile is easy picking. > The virus and malware creators may not know about the pg_pass file now, > but they will eventually. > What about having a wallet type system where the user can create a pass > phrase to protect a generated key that would get > loaded once per session. That is how KDE allows users to store passwords. > > I work at a large financial institution and if the auditors knew about > the pg_pass being plain text, they would pretty much ban > it's use. > > Anytime a password is sitting on a non encrypted file system, regardless > of it's permissions it is potentially at risk. If we wanted to do that, we could use the Windows API that's available to do this. The idea with the pgpass flie is to have it compatible with the unix version. //Magnus
