Re: Rejecting weak passwords
Kevin Grittner <kevin.grittner@wicourts.gov>
From: "Kevin Grittner" <Kevin.Grittner@wicourts.gov>
To: "Dave Page" <dpage@pgadmin.org>
Cc: "Andrew Dunstan" <andrew@dunslane.net>, "Marko Kreen" <markokr@gmail.com>, "Magnus Hagander" <magnus@hagander.net>, "Greg Stark" <gsstark@mit.edu>, "Bruce Momjian" <bruce@momjian.us>, "pgsql-hackers" <pgsql-hackers@postgresql.org>, "Tom Lane" <tgl@sss.pgh.pa.us>,"mlortiz" <mlortiz@uci.cu>, "Albe Laurenz" <laurenz.albe@wien.gv.at>
Date: 2009-10-14T21:51:19Z
Lists: pgsql-hackers
Dave Page <dpage@pgadmin.org> wrote: > No. Any checks at the client are worthless, as they can be bypassed > by 10 minutes worth of simple coding in any of a dozen or more > languages. Well, sure, but we're talking about a client going out of their way to wrestle the point of the gun toward their own foot, aren't we? If we're worried about the user compromising their own password, we have bigger problems, like that slip of paper in their desk drawer with the password written on it. I mean, I know some of these checklists can be pretty brain-dead (I've been on both sides of the RFP process many times), but it would seem over the top to say that client-side password strength checks aren't OK for the reason you give. -Kevin