From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
---|---|
To: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Bruce Momjian *EXTERN* <bruce(at)momjian(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Mark Mielke <mark(at)mark(dot)mielke(dot)cc>, Dave Page <dpage(at)pgadmin(dot)org>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Marko Kreen <markokr(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Greg Stark <gsstark(at)mit(dot)edu>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, mlortiz <mlortiz(at)uci(dot)cu> |
Subject: | Re: Rejecting weak passwords |
Date: | 2009-10-19 16:37:19 |
Message-ID: | 4ADC95BF.7010208@dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Alvaro Herrera wrote:
>> Except that your first statement is false. It is not possible currently
>> for any tool to prevent someone from doing ALTER USER joe PASSWORD joe.
>> A server-side plugin can provide a guarantee that there are no bad
>> passwords (for some value of bad, and with some possible adverse
>> consequences). We don't have that today.
>>
>
> We do, if you have you server grabbing passwords from LDAP or whatever
> external auth service you use. That would be more secure than anything
> mentioned in this thread, because the password enforcement could work on
> unencrypted passwords without adverse consequences.
>
We don't have it today for passwords that postgres manages. Unless we're
going to rely on an external auth source completely, I think there's a
good case for the hooks, but not for any of the other "adjustments" that
people have suggested.
cheers
andrew
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2009-10-19 16:37:54 | Re: Rejecting weak passwords |
Previous Message | Stephen Frost | 2009-10-19 16:29:16 | Re: Controlling changes in plpgsql variable resolution |