From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Bruce Momjian *EXTERN* <bruce(at)momjian(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Mark Mielke <mark(at)mark(dot)mielke(dot)cc>, Dave Page <dpage(at)pgadmin(dot)org>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Marko Kreen <markokr(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Greg Stark <gsstark(at)mit(dot)edu>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, mlortiz <mlortiz(at)uci(dot)cu> |
Subject: | Re: Rejecting weak passwords |
Date: | 2009-10-19 16:23:00 |
Message-ID: | 20091019162300.GC3352@alvh.no-ip.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Tom Lane escribió:
> Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> > On Mon, 2009-10-19 at 14:54 +0200, Albe Laurenz wrote:
> >> I guess I misunderstood something there, but I had assumed that the
> >> checkbox item read something like: "Does the product offer password
> >> policy enforcement?" (to quote Dave Page).
>
> > The answer to that is currently "Yes, with external tools". Using the
> > plugin approach, the answer will remain "Yes, with external tools". So
> > we wouldn't gain much.
>
> Except that your first statement is false. It is not possible currently
> for any tool to prevent someone from doing ALTER USER joe PASSWORD joe.
> A server-side plugin can provide a guarantee that there are no bad
> passwords (for some value of bad, and with some possible adverse
> consequences). We don't have that today.
We do, if you have you server grabbing passwords from LDAP or whatever
external auth service you use. That would be more secure than anything
mentioned in this thread, because the password enforcement could work on
unencrypted passwords without adverse consequences.
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
From | Date | Subject | |
---|---|---|---|
Next Message | David E. Wheeler | 2009-10-19 16:25:02 | Re: Controlling changes in plpgsql variable resolution |
Previous Message | Tom Lane | 2009-10-19 16:12:07 | Re: Rejecting weak passwords |