Re: Rejecting weak passwords

From: Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
To: Dave Page <dpage(at)pgadmin(dot)org>
Cc: Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Marko Kreen <markokr(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Greg Stark <gsstark(at)mit(dot)edu>, Bruce Momjian <bruce(at)momjian(dot)us>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, mlortiz <mlortiz(at)uci(dot)cu>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>
Subject: Re: Rejecting weak passwords
Date: 2009-10-14 22:21:15
Message-ID: 4AD64EDB.1070509@mark.mielke.cc
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 10/14/2009 05:33 PM, Dave Page wrote:
> On Wed, Oct 14, 2009 at 9:50 PM, Kevin Grittner
> <Kevin(dot)Grittner(at)wicourts(dot)gov> wrote:
>
>> Can they check the box if the provided clients include password
>> strength checking? I'm just wondering if we're going at this the hard
>> way, if that really is the main goal.
>>
> No. Any checks at the client are worthless, as they can be bypassed by
> 10 minutes worth of simple coding in any of a dozen or more languages.
>

Why care? If the client is purposefully disabling passwords checks to
use a "weak" password - this is an entirely different problem from
somebody trying a weak password and being allowed. Circumvention of
process is always a risk, and should be dealt with as a human resources
problem. Why not stop the admin from disabling the security check when
they create their pgadmin password too? We can't trust anybody - right?

PAM does security checking client-side I think? I'm sure others do too?

I'm not saying server checks are worthless - but I think you are
exaggerating to say that client checks are worthless. Sending the
password in cleartext via SQL seems bad. Sending it encoded seems only
marginally better. Sending it in MD5 is good but means that password
strength needs to be done by the client. You are saying that it's worth
the loss of security in one area, to improve security in another.
Providing client checks in the "official" clients is probably sufficient
for your checkbox that you think is so important. Unless you think it is
impossible to circumvent process in any of these "other" databases that
do such a better job?

Personally, I don't think PostgreSQL is the best place to manage
passwords at this level anyways, beyond the basic usage. PostgreSQL
shouldn't need to know the password, and the password should still be
required to as strong as the organization requires it. Lots of other
solutions here - PAM, LDAP, Kerberos, ... How much of these solutions
should PostgreSQL re-implement?

Cheers,
mark

--
Mark Mielke<mark(at)mielke(dot)cc>

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2009-10-14 22:23:19 Re: Rejecting weak passwords
Previous Message David Fetter 2009-10-14 22:17:21 Re: Could regexp_matches be immutable?