I think David is suggesting that the hypothetical attacker could gain economies of scale in multiple attacks (ie, if he'd been able to steal the contents of multiple installations' pg_shadow, he'd only need to generate his long list of precalculated hashes once). I think this is too far-fetched to justify an authentication protocol change though.
Also, MD5 hashing is fast enough that I'm not sure the above is really significantly cheaper than a straight brute-force attack, ie, you just take your list of possible passwords and compute the hashes on the fly. The hashes are going to be much longer than the average real-world password, so reading in a list of hashes is going to take several times as much I/O as reading the passwords --- seems to me that it'd be cheaper just to re-hash each password.
Many people use short and easy-to-guess passwords (remember we're not talking about the superuser only here), so the dictionary attack can be more effective than people think. And considering many people use the same password for several things, Postgres could become one of the easy sources to get/guess people's plaintext passwords from hacked machines.
At least Apache and Unix have been random-salting passwords for a while now.
However, I realize this will break the current MD5 hash, probably too painful to do at the moment. Perhaps for the future, non-MD5 hash...
-- dave
---------------------------(end of broadcast)--------------------------- TIP 7: don't forget to increase your free space map settings
