Re: Rejecting weak passwords

On Wed, Oct 14, 2009 at 9:50 PM, Kevin Grittner
<Kevin(dot)Grittner(at)wicourts(dot)gov> wrote:
> Dave Page <dpage(at)pgadmin(dot)org> wrote:
>
>> I said up front this was a box-ticking exercise for these folks,
>
> Can they check the box if the provided clients include password
> strength checking?  I'm just wondering if we're going at this the hard
> way, if that really is the main goal.

No. Any checks at the client are worthless, as they can be bypassed by
10 minutes worth of simple coding in any of a dozen or more languages.

> And, perhaps slightly off topic: if the login password is sent over a
> non-encrypted stream, md5sum or not, can't someone use it to log in if
> they're generating their own stream to connect?  Discussions of which
> is the more secure way to change passwords seems a little silly if
> you're only worried about environments where someone can sniff any
> login sequence and spoof the user anyway.

No - see Tom's reply.

>> (meh - who cares if we can store 2009-02-31 - it stores all the
>> valid dates which are the ones that matter :-p )
>
> Oh, now that's just trolling -- you really don't want to open that can
> of worms again, do you?   :-p

Well, after 12+ years in these parts I figure anyone should get the
privilege of a small dig once in a while :-)

--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com