Re: Rejecting weak passwords

On 10/15/2009 10:08 AM, Dave Page wrote:
> It's certainly true that there are other ways for users to compromise
> their passwords if they want. The fact remains though, that most other
> DBMSs (and all major operating systems I can think of) offer password
> policy features as non-client checks which are difficult, if not
> impossible for the user to bypass. Clearly other people think it's
> important to do this, and we are compared against their products on a
> daily basis, so if we want to compete with them on a level playing
> field we need at least a comparable feature set.
>

Not so clear to me. If they're doing strong checks, this means they're
sending passwords in the clear or only barely encoded, or using some
OTHER method than 'alter role ... password ...' to change the password.

Point being - if you think this is absolutely important to do - don't go
+5% of the way - go 100% of the way.

Then again, I'm not so concerned about what arbitrary criteria some
person defines as "what makes a good database system". I'm more
concerned with what makes the system better for *me*. I don't see how
this entire thread helps *me* in any way - and I do understand the need
for strong passwords - and my company *does* have policies that require
strong passwords. Even if the plugin is provided - I'm not going to
activate it. I already have a policy for setting strong passwords that I
already follow.

Cheers,
mark

--
Mark Mielke<mark(at)mielke(dot)cc>