Re: Parametrization minimum password lenght

Bertrand Drouvot <bertranddrouvot.pg@gmail.com>

From: Bertrand Drouvot <bertranddrouvot.pg@gmail.com>
To: Nathan Bossart <nathandbossart@gmail.com>
Cc: Emanuele Musella <emamuse86@gmail.com>, pgsql-hackers@lists.postgresql.org
Date: 2024-12-19T07:25:30Z
Lists: pgsql-hackers

Attachments

Hi,

On Wed, Dec 18, 2024 at 02:56:24PM -0600, Nathan Bossart wrote:
> Here is what I have staged for commit.

Thanks!

A few comments:

=== 1

+  if (pwdlen < min_password_length)
           ereport(ERROR,
                   (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
                    errmsg("password is too short")));

Now that the minimum password length is not "hardcoded" anymore, I wonder if it
wouldn't be better to provide more details here (pwdlen and min_password_length).

Suggestion in on_top_of_0001.txt attached.

=== 2

+       /* Define custom GUC variables. */
+       DefineCustomIntVariable("passwordcheck.min_password_length",
+                                                       "Minimum allowed password length.",
+                                                       NULL,
+                                                       &min_password_length,
+                                                       8,
+                                                       0, INT_MAX,

Since password must contain both letters and nonletters, 0 seems too low. I
wonder if 2 is not a better value (done in on_top_of_0001.txt attached).

Also, it seems to me that INT_MAX is too large (as mentioned in [1]), but that's
probably a nit.

[1]: https://www.postgresql.org/message-id/Zzzmw4IAvrypmFO4%40ip-10-97-1-34.eu-west-3.compute.internal

Regards,

-- 
Bertrand Drouvot
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com

Commits

  1. Add passwordcheck.min_password_length.