Re: Rejecting weak passwords

Robert Haas <robertmhaas@gmail.com>

From: Robert Haas <robertmhaas@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Albe Laurenz <laurenz.albe@wien.gv.at>, Dave Page <dpage@pgadmin.org>, Andrew Dunstan <andrew@dunslane.net>, mlortiz <mlortiz@uci.cu>, Magnus Hagander <magnus@hagander.net>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2009-09-29T14:18:34Z
Lists: pgsql-hackers
On Tue, Sep 29, 2009 at 9:48 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> "Albe Laurenz" <laurenz.albe@wien.gv.at> writes:
>> I thought about it some more, and I think that a password checking
>> hook might still be somewhat useful even for MD5-encrypted passwords;
>> the function could guess and exclude at least that dreadful
>> all-too-frequent case of username = password.
>
> True.  You could probably even run through a moderate-size dictionary
> of weak passwords, depending on how long you're willing to make the
> user wait.  (CHECK_FOR_INTERRUPTS inside the loop would be polite ;-))

But how much value is there in that?  This whole thing seems like a
dead end to me.  No matter how long you're willing to wait, putting
the checking on the client side will let you far more validation for
the same price.

...Robert