Re: Rejecting weak passwords

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: Dave Page <dpage(at)pgadmin(dot)org>, Marko Kreen <markokr(at)gmail(dot)com>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Andrew Dunstan <andrew(at)dunslane(dot)net>, mlortiz <mlortiz(at)uci(dot)cu>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Rejecting weak passwords
Date: 2009-10-14 17:08:34
Message-ID: 15555.1255540114@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Magnus Hagander <magnus(at)hagander(dot)net> writes:
> On Wed, Oct 14, 2009 at 18:25, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Let's see you do that (hint: "CREATD USER ... PASSWORD" is going to
>> throw a syntax error before you realize there's anything there that
>> might need to be protected).

> I'm unsure if it's our responsibility to think about that. We can leak
> a *lot* of sensitive information to the logs through syntax errors,
> this is just one of them. We *do* need to worry about the statements
> when they are sent properly, of course.

Even if they're "sent properly", this entire discussion misses the point.
The reason to not want cleartext passwords in the logs is that the user
doesn't trust the DBA. Why would a user who doesn't trust the DBA
want to trust him to not be running a modified copy of the database with
all this nice logic disabled?

The real point of crypted passwords is to not let uncrypted passwords
go anywhere outside the *user's* control. If the DBA wants to enforce
a policy that is incompatible with that, it should be extremely obvious
to all concerned that that's what he's doing. In particular it should
be in the user's face that he's about to send an uncrypted password,
so that he can think twice about the particular password he's choosing
(and hopefully not use one that's also good for another service). For
relatively smart clients like pgAdmin, there might also be an option
to refuse to send such a command across an insecure connection, or at
least nag the user about it.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2009-10-14 17:28:28 Re: Rejecting weak passwords
Previous Message Tom Lane 2009-10-14 16:59:24 Re: Rejecting weak passwords