Re: Rejecting weak passwords
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Magnus Hagander <magnus@hagander.net>, Dave Page <dpage@pgadmin.org>, Albe Laurenz <laurenz.albe@wien.gv.at>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2009-10-02T22:56:09Z
Lists: pgsql-hackers
Tom Lane wrote: > Magnus Hagander <magnus@hagander.net> writes: > > That said, it would still be good to have something actually *useful* > > in contrib. A bit more than just comparing userid and password. > > Perhaps at least being able to set the min length, and the requirement > > on having >1 "character class"? > > +1. There's still the issue of not being able to do much with a > pre-MD5'd password, though. Agreed. I am still a little worried that people will think they are checking for weak passwords when, for MD5, they are not. I am also worried that people will unknowingly reduce their security (not use MD5) to allow weak password checking. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. +