Re: Rejecting weak passwords

Albe Laurenz <laurenz.albe@wien.gv.at>

From: "Albe Laurenz" <laurenz.albe@wien.gv.at>
To: "Tom Lane *EXTERN*" <tgl@sss.pgh.pa.us>, "Dave Page" <dpage@pgadmin.org>
Cc: "Andrew Dunstan" <andrew@dunslane.net>, "mlortiz" <mlortiz@uci.cu>, "Magnus Hagander" <magnus@hagander.net>, "pgsql-hackers" <pgsql-hackers@postgresql.org>
Date: 2009-09-29T06:46:07Z
Lists: pgsql-hackers
Tom Lane wrote:
> > pgAdmin MD5's the passwords if you use the GUI to change them, or when
> > add a user. It doesn't make any attempt to parse the SQL if you enter
> > it yourself in the query tool though (nor is it going to).
> 
> No, I wouldn't expect it to go that far.  My point is just that
> pre-MD5'd passwords are a lot commoner than Albe seems to think.

Point taken.

I thought about it some more, and I think that a password checking
hook might still be somewhat useful even for MD5-encrypted passwords;
the function could guess and exclude at least that dreadful
all-too-frequent case of username = password.

Yours,
Laurenz Albe