Re: Rejecting weak passwords

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at>
Cc: "Bruce Momjian *EXTERN*" <bruce(at)momjian(dot)us>, "Robert Haas" <robertmhaas(at)gmail(dot)com>, "Mark Mielke" <mark(at)mark(dot)mielke(dot)cc>, "Dave Page" <dpage(at)pgadmin(dot)org>, "Kevin Grittner" <Kevin(dot)Grittner(at)wicourts(dot)gov>, "Andrew Dunstan" <andrew(at)dunslane(dot)net>, "Marko Kreen" <markokr(at)gmail(dot)com>, "Magnus Hagander" <magnus(at)hagander(dot)net>, "Greg Stark" <gsstark(at)mit(dot)edu>, "pgsql-hackers" <pgsql-hackers(at)postgresql(dot)org>, "mlortiz" <mlortiz(at)uci(dot)cu>
Subject: Re: Rejecting weak passwords
Date: 2009-10-19 14:30:05
Message-ID: 4848.1255962605@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

"Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> writes:
> Bruce Momjian wrote:
>> Password checks might include password complexity or non-reuse of
>> passwords. This facility will require the client to send the password to
>> the server in plain-text, so SSL and 'password' authentication is
>> necessary to use this features.

> So in my opinion that should be:
> This facility will require to send new and changed password to
> the server in plain-text, so it will require SSL, and the use
> of encrypted passwords in CREATE/ALTER ROLE will have to be
> disabled.

Actually, not one word of *either* version should be in TODO. All of
that is speculation about policies that a particular add-on module
might or might not choose to enforce.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2009-10-19 14:33:47 Re: Application name patch - v2
Previous Message Marko Tiikkaja 2009-10-19 14:29:45 Re: Writeable CTEs and side effects