| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | Zaur Hajili <zaurhajili(at)gmail(dot)com>, pgsql-www(at)postgresql(dot)org |
| Cc: | nigarsalman7(at)gmail(dot)com |
| Subject: | Re: passwordcheck module problem |
| Date: | 2024-02-15 12:45:52 |
| Message-ID: | 0894d13fd95ecbf6bbde010bd13f50f735216e29.camel@cybertec.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On Thu, 2024-02-15 at 16:20 +0400, Zaur Hajili wrote:
> recently one of dba course students informed me about problem of passwordcheck module.
>
> I cannot imagine that it is not a known issue, but if this is the known issue,
> then passwordcheck module loses all its functionality.
>
> Problem is, when a user changes its password via \password (psql meta command)
> command, it can set any simple password successfuly.
>
> Tested in versions 14,15,16. same behavior.
>
> Postgres must check the password before converting to hash, it is clear that after
> hash it cannot detect the weakness.
That is clearly off-topic for the WWW list.
The limitation is well known, see the "Caution" in the documentation of the module
or the discussion that led to the module:
https://www.postgresql.org/message-id/flat/D960CB61B694CF459DCFB4B0128514C203937F49%40exadv11.host.magwien.gv.at
It is catch 22: the only entity that sees the clear text password and can
check it is the client, and the server cannot trust the client.
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | 快乐的老鼠宝宝 | 2024-02-20 11:57:17 | Wiki editor request ("Python" and "Psycopg") |
| Previous Message | Jonathan S. Katz | 2024-02-15 12:45:31 | Re: passwordcheck module problem |