Re: Rejecting weak passwords

On Wed, Oct 14, 2009 at 7:42 PM, Greg Stark <gsstark(at)mit(dot)edu> wrote:
> On Wed, Oct 14, 2009 at 10:28 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>>
>> I see three checks we are trying to do on passwords:
>>
>>        1) Password complexity enforcement/policies
>>        2) Password history - you can't reuse a password
>>        3) Account disable after X incorrect attempts
>
>
> This whole discussion seems very strange to me. Surely any
> organization with rules like this will want them to be system-wide and
> will have already implemented them in their PAM and LDAP systems
> (assuming their not using Kerberos or something like that anyways).

Because like it or not, this 'feature' is one that people *are*
looking for in early stages of evaluations, and it counts against us
and can hurt our adoption when we can't tick that box.

As an example, after years of only offering password policy management
via the NT domain/active directory authentication methods, even
Microsoft finally gave in and added policy management for their SQL
Server accounts with SQL 2k5.

--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com