Re: Rejecting weak passwords
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "Albe Laurenz" <laurenz.albe@wien.gv.at>
Cc: "Dave Page" <dpage@pgadmin.org>, "Andrew Dunstan" <andrew@dunslane.net>, "mlortiz" <mlortiz@uci.cu>, "Magnus Hagander" <magnus@hagander.net>, "pgsql-hackers" <pgsql-hackers@postgresql.org>
Date: 2009-09-29T13:48:46Z
Lists: pgsql-hackers
"Albe Laurenz" <laurenz.albe@wien.gv.at> writes: > I thought about it some more, and I think that a password checking > hook might still be somewhat useful even for MD5-encrypted passwords; > the function could guess and exclude at least that dreadful > all-too-frequent case of username = password. True. You could probably even run through a moderate-size dictionary of weak passwords, depending on how long you're willing to make the user wait. (CHECK_FOR_INTERRUPTS inside the loop would be polite ;-)) regards, tom lane