Re: Rejecting weak passwords

On 10/15/2009 03:54 AM, Dave Page wrote:
> On Wed, Oct 14, 2009 at 11:21 PM, Mark Mielke<mark(at)mark(dot)mielke(dot)cc> wrote:
>
>> On 10/14/2009 05:33 PM, Dave Page wrote:
>>
>>> No. Any checks at the client are worthless, as they can be bypassed by
>>> 10 minutes worth of simple coding in any of a dozen or more languages.
>>>
>>>
>> Why care?
>>
> Because many large (and small for that matter) organisations also have
> security policies which mandate the enforcement of specific password
> policies. Just because you think it's worthless to try to prevent
> someone reusing a password, or using 'password' doesn't mean that
> everyone else does. Some organisations will use such a feature in a
> box-ticking exercise when evaluating, and others may actually decide
> to use the feature, and expect it to work effectively.
>
> Beside, we are not in the habit of putting half-arsed features in
> PostgreSQL. If we do something, we do it properly.
>

You miss my point (and conveniently cut it out). For users who
accidentally break policy vs users who purposefully circumvent policy -
the approaches must be different, and the risk management decision may
be different.

It's a lot easier to circumvent policy than most people (management
specifically) realize. If your attempt it to absolutely prevent a
determined competent individual from circumventing your policy - you
need to do a LOT MORE than what you are suggesting.

If you just want to prevent accidents - having the client software do
the checks is fine.

Cheers,
mark

--
Mark Mielke<mark(at)mielke(dot)cc>