| From: | "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
|---|---|
| To: | "Tom Lane *EXTERN*" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Dave Page" <dpage(at)pgadmin(dot)org> |
| Cc: | "Andrew Dunstan" <andrew(at)dunslane(dot)net>, "mlortiz" <mlortiz(at)uci(dot)cu>, "Magnus Hagander" <magnus(at)hagander(dot)net>, "pgsql-hackers" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Rejecting weak passwords |
| Date: | 2009-09-29 06:46:07 |
| Message-ID: | D960CB61B694CF459DCFB4B0128514C203937F50@exadv11.host.magwien.gv.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> > pgAdmin MD5's the passwords if you use the GUI to change them, or when
> > add a user. It doesn't make any attempt to parse the SQL if you enter
> > it yourself in the query tool though (nor is it going to).
>
> No, I wouldn't expect it to go that far. My point is just that
> pre-MD5'd passwords are a lot commoner than Albe seems to think.
Point taken.
I thought about it some more, and I think that a password checking
hook might still be somewhat useful even for MD5-encrypted passwords;
the function could guess and exclude at least that dreadful
all-too-frequent case of username = password.
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2009-09-29 06:54:06 | Re: Small patch for README |
| Previous Message | Alvaro Herrera | 2009-09-29 04:00:38 | Re: [PATCH] 8.5 TODO: Add comments to output indicating version of pg_dump and of the database server |