Re: Rejecting weak passwords

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Dave Page <dpage(at)pgadmin(dot)org>, Marko Kreen <markokr(at)gmail(dot)com>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Andrew Dunstan <andrew(at)dunslane(dot)net>, mlortiz <mlortiz(at)uci(dot)cu>, Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Rejecting weak passwords
Date: 2009-10-14 19:17:00
Message-ID: 603c8f070910141217r4bc84fccqfa96593aeb02d0dc@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, Oct 14, 2009 at 1:48 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>> On Wed, Oct 14, 2009 at 12:25 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>> Let's see you do that (hint: "CREATD USER ... PASSWORD" is going to
>>> throw a syntax error before you realize there's anything there that
>>> might need to be protected).
>
>> It seems to me incredibly rare for anyone to issue a manual CREATE
>> USER command with an encrypted password.  And if it is generated by a
>> script, it will presumably not have a trivial typographical error.
>
> Uh, this discussion was about cleartext passwords?

I understand that. The point is, you seemed to be worried that
log-obfuscation wouldn't work because someone might type "CREATD USER
... PASSWORD" rather than "CREATE USER ... PASSWORD". But this can
happen today, too, can't it? The only difference is that today the
password MIGHT be encrypted. But if the user is really entering the
command manually, it's probably not. Sure, someone COULD pre-MD5 a
string and then copy and paste it into a psql session, but I bet
that's not too common. I suspect people using the pre-MD5 option are
using a more sophisticated client of some sort anyway.

...Robert

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Mark Mielke 2009-10-14 19:20:37 Re: Rejecting weak passwords
Previous Message Dave Page 2009-10-14 18:56:35 Re: Rejecting weak passwords