Re: Rejecting weak passwords

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Bruce Momjian <bruce@momjian.us>
Cc: Kevin Grittner <Kevin.Grittner@wicourts.gov>, Dave Page <dpage@pgadmin.org>, Andrew Dunstan <andrew@dunslane.net>, Marko Kreen <markokr@gmail.com>, Magnus Hagander <magnus@hagander.net>, Greg Stark <gsstark@mit.edu>, pgsql-hackers <pgsql-hackers@postgresql.org>, mlortiz <mlortiz@uci.cu>, Albe Laurenz <laurenz.albe@wien.gv.at>
Date: 2009-10-14T22:28:12Z
Lists: pgsql-hackers
Bruce Momjian <bruce@momjian.us> writes:
> Tom Lane wrote:
>> But the main point is to hide the cleartext password, in any case.

> What if we added a GUC that only allowed password changes via an SSL
> connection.

How's that help?  The user has already exposed their new choice of
password to any hypothetical eavesdropper.  Of course, if they're smart,
they'll pick a different password before they try again on a secure
connection ... but good luck hoping for that.

(And, again, there is ABSOLUTELY NO NEED for us to put such debatable
policies into the core.  Anyone who thinks that's a good idea can have
his password-check plugin enforce it.)

			regards, tom lane