Re: Rejecting weak passwords

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: "Albe Laurenz" <laurenz.albe@wien.gv.at>
Cc: "Dave Page" <dpage@pgadmin.org>, "Andrew Dunstan" <andrew@dunslane.net>, "mlortiz" <mlortiz@uci.cu>, "Magnus Hagander" <magnus@hagander.net>, "pgsql-hackers" <pgsql-hackers@postgresql.org>
Date: 2009-09-29T13:48:46Z
Lists: pgsql-hackers
"Albe Laurenz" <laurenz.albe@wien.gv.at> writes:
> I thought about it some more, and I think that a password checking
> hook might still be somewhat useful even for MD5-encrypted passwords;
> the function could guess and exclude at least that dreadful
> all-too-frequent case of username = password.

True.  You could probably even run through a moderate-size dictionary
of weak passwords, depending on how long you're willing to make the
user wait.  (CHECK_FOR_INTERRUPTS inside the loop would be polite ;-))

			regards, tom lane