From: | Andrzej Zawadzki <zawadaa(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com>, Craig James <craig_james(at)emolecules(dot)com>, pgsql-admin(at)postgresql(dot)org |
Subject: | Re: password administration |
Date: | 2010-08-08 20:55:05 |
Message-ID: | 4C5F19A9.8020907@gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
On 05.08.2010 22:54, Tom Lane wrote:
> Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com> writes:
>
>> On Thu, Aug 5, 2010 at 2:20 PM, Craig James <craig_james(at)emolecules(dot)com> wrote:
>>
>>> A better solution is to implement a password-strength algorithm and require
>>> people to select decent passwords to begin with.
>>>
>
>> Exactly. If you allow simpler passwords that have to be changed you
>> get things like:
>>
>
>> ilovemywife22 md5: b845aec254d018d118fe52c46ee8c98c
>>
>
>> changed to
>>
>
>> ilovemywife23 md5: 8c2b59e4d961478e3a9d5bd94979f329
>>
>
>> You can't tell how close they are by the md5. If you try to prevent
>> people from reusing similar passwords, then you have to store either
>> the previous passwords (bad security) or something like a soundex of
>> the previous password (also bad security.)
>>
> A place I know but won't name has a policy of storing your last five
> passwords (hopefully in md5'd form, but I don't actually know that) and
> not letting you reuse those. Of course this merely encourages people to
> use a cycle of six or so passwords, like something they can remember
> with one digit tagged on.
>
Hi!
Such a policy is in force in my country (Poland) but only if system
contains personal data. (government law)
8 or more characters - 2 capital letters, 2 digits
And... sometimes this is pain in the... but we don't have a choice.
TIP: you don't need 6 passwords - just 2 - with different one character ;-)
--
Andrzej Zawadzki
From | Date | Subject | |
---|---|---|---|
Next Message | Kevin Grittner | 2010-08-09 14:07:25 | Re: High-water Mark for number of sessions/connections reached in Postgres |
Previous Message | Tomeh, Husam | 2010-08-07 00:46:37 | High-water Mark for number of sessions/connections reached in Postgres |