Thank you all, for your views and advice.
As Mathew points out, PostgreSQL encryption features on a par with MySQL
4 don't occur until version PgSQL 7.4. Although PostgreSQL is now at
version 7.4.5 and the new product is rich in features, research suggests
that PgSQL users in large scale are content with 7.3.x and earlier
versions; face inertia to upgrade; and therefore it may be early for
DBMA to rely on database encryption functions and still have good
universality.
Consequently DBMA (DbMail Administrator GUI) 2.0.3 independently with
PERL provides all password encryption options DbMail utilizes and is
prepared for future developments including SHA1.
This is accomplished using some database encrypt features, with seamless
failover to PERL module routines on two, common, PERL modules (tarballed
with DBMA for convenience).
The case made by a couple of persons that clear text passwords for user
accounts is consistent with clear text transmitted across the WAN, is
no doubt widely accepted and applied. Like Sumbry, these persons also
point out their systems are non-routable.
There is an often suggested concern that a compromised user account
allows a potentially harmful opening to the database server*. Also, a
nominal form of encryption for low-privilege access to databases is a
requirement in some corporate IT policy frameworks.
It seems both practices are prolific. Certainly much depends on the
environment, the stakeholders and the asset.
DBMA should acknowledge and suit the environments of the widest possible
universe of admin users.
*(I should note that DBMA contains some security features which seek to
deny its use as a point of attack against a database system by a
privileged, authenticated user having malice or error.)
Another good point, raised by Jesse, has to do with over-the-shoulder
console views of clear text passwords.
DBMA has now been modified to obscure passwords -- providing only a
definition of what type they are -- except on the single 'user modify' /
'password change' GUI (three steps removed from the facia) which
displays the password no matter what its form so the admin can spot
problems and make whatever changes are called for.
Password encryption options in DBMA are initially selected by radio
button when the user is created.
The selectable options are:
'md5sum' - the password's MD5 hex digest
'md5' - a base64 hash from the password using four random salt chars.
'crypt' - using MD5 option and four-character seed
'plaintext' - clear text passwords
DBMA includes an "encrypt tool" which tests your setup and demonstrates
each of the encrypt options plus some forward looking notions including
SHA1.
The latest version of DBMA (2.0.3) which includes changes resulting from
your input is available at http://library.mobrien.com/dbmailadministrator/
It is most likely you will need to install at least the Crypt::PasswdMD5
module which relies on Digest::MD5, the latter being something most
folks will already have installed. The latest versions of both of these
small modules are contained in the DBMA tarball for convenience.
Again, my thanks to everyone for their input here and directly to me. It
was very valuable.
Have many happy days...
Mike
