Re: Rejecting weak passwords
Albe Laurenz <laurenz.albe@wien.gv.at>
From: "Albe Laurenz" <laurenz.albe@wien.gv.at>
To: "Peter Eisentraut *EXTERN*" <peter_e@gmx.net>
Cc: "Bruce Momjian *EXTERN*" <bruce@momjian.us>, "Tom Lane" <tgl@sss.pgh.pa.us>, "Robert Haas" <robertmhaas@gmail.com>, "Mark Mielke" <mark@mark.mielke.cc>, "Dave Page" <dpage@pgadmin.org>, "Kevin Grittner" <Kevin.Grittner@wicourts.gov>, "Andrew Dunstan" <andrew@dunslane.net>, "Marko Kreen" <markokr@gmail.com>, "Magnus Hagander" <magnus@hagander.net>, "Greg Stark" <gsstark@mit.edu>, "pgsql-hackers" <pgsql-hackers@postgresql.org>, "mlortiz" <mlortiz@uci.cu>
Date: 2009-10-19T12:54:38Z
Lists: pgsql-hackers
Peter Eisentraut wrote: >> I don't get why you need 'password' authentication for that. >> The point where the password should be checked is not when >> the user uses it to logon, but when he or she changes it. >> >> So in my opinion that should be: >> This facility will require to send new and changed password to >> the server in plain-text, so it will require SSL, and the use >> of encrypted passwords in CREATE/ALTER ROLE will have to be >> disabled. > > Note that this solution will still not satisfy the original checkbox > requirement. I guess I misunderstood something there, but I had assumed that the checkbox item read something like: "Does the product offer password policy enforcement?" (to quote Dave Page). I understood that to mean "does the server check if a new password complies with a certain set of rules". Yours, Laurenz Albe