Re: Rejecting weak passwords
Albe Laurenz <laurenz.albe@wien.gv.at>
From: "Albe Laurenz" <laurenz.albe@wien.gv.at>
To: "Tom Lane *EXTERN*" <tgl@sss.pgh.pa.us>, "Dave Page" <dpage@pgadmin.org>
Cc: "Andrew Dunstan" <andrew@dunslane.net>, "mlortiz" <mlortiz@uci.cu>, "Magnus Hagander" <magnus@hagander.net>, "pgsql-hackers" <pgsql-hackers@postgresql.org>
Date: 2009-09-29T06:46:07Z
Lists: pgsql-hackers
Tom Lane wrote: > > pgAdmin MD5's the passwords if you use the GUI to change them, or when > > add a user. It doesn't make any attempt to parse the SQL if you enter > > it yourself in the query tool though (nor is it going to). > > No, I wouldn't expect it to go that far. My point is just that > pre-MD5'd passwords are a lot commoner than Albe seems to think. Point taken. I thought about it some more, and I think that a password checking hook might still be somewhat useful even for MD5-encrypted passwords; the function could guess and exclude at least that dreadful all-too-frequent case of username = password. Yours, Laurenz Albe