Re: Rejecting weak passwords

From: Dave Page <dpage(at)pgadmin(dot)org>
To: Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
Cc: Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Marko Kreen <markokr(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Greg Stark <gsstark(at)mit(dot)edu>, Bruce Momjian <bruce(at)momjian(dot)us>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, mlortiz <mlortiz(at)uci(dot)cu>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>
Subject: Re: Rejecting weak passwords
Date: 2009-10-15 16:41:34
Message-ID: 937d27e10910150941x72f7188fre6b50c5cd672de30@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Thu, Oct 15, 2009 at 5:28 PM, Mark Mielke <mark(at)mark(dot)mielke(dot)cc> wrote:
>
> Not so clear to me. If they're doing strong checks, this means they're
> sending passwords in the clear or only barely encoded, or using some OTHER
> method than 'alter role ... password ...' to change the password.

Some are sending them in the clear (though often over SSL connections).

> Point being - if you think this is absolutely important to do - don't go +5%
> of the way - go 100% of the way.

Exactly - that's why I want to see a check in the server, not the
client which should get to 95%. I also happen to agree with Magnus
that the only really secure way to do this on outside of SQL, but I
can't see us dropping ALTER USER ... WITH PASSWORD in a hurry.

> Then again, I'm not so concerned about what arbitrary criteria some person
> defines as "what makes a good database system". I'm more concerned with what
> makes the system better for *me*. I don't see how this entire thread helps
> *me* in any way - and I do understand the need for strong passwords - and my
> company *does* have policies that require strong passwords. Even if the
> plugin is provided - I'm not going to activate it. I already have a policy
> for setting strong passwords that I already follow.

That's an excellent point. It probably doesn't make any difference to
you or many of the other people on this list who are concerned with
running their own systems and may already use other techniques, such
as LDAP, SSPI etc.

A not-insignificant percentage of the people here are not concerned
with running their own systems though. They are working to help new
users adopt PostgreSQL, and make a living selling services or support
to those users. Sometimes that can be for huge projects, where it is
necessary to justify every difference in check-box items against other
products to get past the early eval stages. Like it or not, that is a
fact, and this hampers our adoption.

--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Ron Mayer 2009-10-15 16:59:50 Re: Rejecting weak passwords
Previous Message Mark Mielke 2009-10-15 16:38:14 Re: Rejecting weak passwords