Re: Rejecting weak passwords

Peter Eisentraut <peter_e@gmx.net>

From: Peter Eisentraut <peter_e@gmx.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Dave Page <dpage@pgadmin.org>, Marko Kreen <markokr@gmail.com>, Albe Laurenz <laurenz.albe@wien.gv.at>, Andrew Dunstan <andrew@dunslane.net>, mlortiz <mlortiz@uci.cu>, Magnus Hagander <magnus@hagander.net>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2009-10-14T22:12:50Z
Lists: pgsql-hackers
On Wed, 2009-10-14 at 12:59 -0400, Tom Lane wrote:
> If psql or pgAdmin takes a password and
> then sends it in the clear without telling me, that's a breach of
> trust
> with potentially serious consequences.  I might not trust the DBA, for
> example, or I might be less confident of the network infrastructure
> than he is.

Well, you would lose anyway if the DBA switches the pg_hba.conf setting
from md5 to password without telling you.  There is usually no
straightforward way in client applications to guard against that.
Something to think about.