Re: Rejecting weak passwords
Dave Page <dpage@pgadmin.org>
From: Dave Page <dpage@pgadmin.org>
To: Greg Stark <gsstark@mit.edu>
Cc: Bruce Momjian <bruce@momjian.us>, Magnus Hagander <magnus@hagander.net>, Tom Lane <tgl@sss.pgh.pa.us>, Marko Kreen <markokr@gmail.com>, Albe Laurenz <laurenz.albe@wien.gv.at>, Andrew Dunstan <andrew@dunslane.net>, mlortiz <mlortiz@uci.cu>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2009-10-14T18:50:23Z
Lists: pgsql-hackers
On Wed, Oct 14, 2009 at 7:42 PM, Greg Stark <gsstark@mit.edu> wrote: > On Wed, Oct 14, 2009 at 10:28 AM, Bruce Momjian <bruce@momjian.us> wrote: >> >> I see three checks we are trying to do on passwords: >> >> 1) Password complexity enforcement/policies >> 2) Password history - you can't reuse a password >> 3) Account disable after X incorrect attempts > > > This whole discussion seems very strange to me. Surely any > organization with rules like this will want them to be system-wide and > will have already implemented them in their PAM and LDAP systems > (assuming their not using Kerberos or something like that anyways). Because like it or not, this 'feature' is one that people *are* looking for in early stages of evaluations, and it counts against us and can hurt our adoption when we can't tick that box. As an example, after years of only offering password policy management via the NT domain/active directory authentication methods, even Microsoft finally gave in and added policy management for their SQL Server accounts with SQL 2k5. -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com