Re: Rejecting weak passwords

Bruce Momjian <bruce@momjian.us>

From: Bruce Momjian <bruce@momjian.us>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Robert Haas <robertmhaas@gmail.com>, Mark Mielke <mark@mark.mielke.cc>, Dave Page <dpage@pgadmin.org>, Kevin Grittner <Kevin.Grittner@wicourts.gov>, Andrew Dunstan <andrew@dunslane.net>, Marko Kreen <markokr@gmail.com>, Magnus Hagander <magnus@hagander.net>, Greg Stark <gsstark@mit.edu>, pgsql-hackers <pgsql-hackers@postgresql.org>, mlortiz <mlortiz@uci.cu>, Albe Laurenz <laurenz.albe@wien.gv.at>
Date: 2009-10-16T17:34:44Z
Lists: pgsql-hackers
Tom Lane wrote:
> Bruce Momjian <bruce@momjian.us> writes:
> > So, are we agreed to provide a hook on the server side, but to use it
> > you have to configure your system with SSL and 'password'?  I can add
> > that to the TODO list.
> 
> I think we're agreed to provide the hook.  What restrictions the hook
> might enforce are not our concern.

Great, added to TODO:

	Allow server-side enforcement of password policies
	
	    Password checks might include password complexity or non-reuse of
	passwords. This facility will require the client to send the password to
	the server in plain-text, so SSL and 'password' authentication is
	necessary to use this features.
	
	        * http://archives.postgresql.org/pgsql-hackers/2009-09/msg01766.php
	        * http://archives.postgresql.org/pgsql-hackers/2009-10/msg00025.php 

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +