| From: | "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
|---|---|
| To: | "Bruce Momjian *EXTERN*" <bruce(at)momjian(dot)us>, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "Robert Haas" <robertmhaas(at)gmail(dot)com>, "Mark Mielke" <mark(at)mark(dot)mielke(dot)cc>, "Dave Page" <dpage(at)pgadmin(dot)org>, "Kevin Grittner" <Kevin(dot)Grittner(at)wicourts(dot)gov>, "Andrew Dunstan" <andrew(at)dunslane(dot)net>, "Marko Kreen" <markokr(at)gmail(dot)com>, "Magnus Hagander" <magnus(at)hagander(dot)net>, "Greg Stark" <gsstark(at)mit(dot)edu>, "pgsql-hackers" <pgsql-hackers(at)postgresql(dot)org>, "mlortiz" <mlortiz(at)uci(dot)cu> |
| Subject: | Re: Rejecting weak passwords |
| Date: | 2009-10-19 07:14:07 |
| Message-ID: | D960CB61B694CF459DCFB4B0128514C203937FB7@exadv11.host.magwien.gv.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Bruce Momjian wrote:
> Great, added to TODO:
>
> Allow server-side enforcement of password policies
>
> Password checks might include password complexity or non-reuse of
> passwords. This facility will require the client to send the password to
> the server in plain-text, so SSL and 'password' authentication is
> necessary to use this features.
I don't get why you need 'password' authentication for that.
The point where the password should be checked is not when
the user uses it to logon, but when he or she changes it.
So in my opinion that should be:
This facility will require to send new and changed password to
the server in plain-text, so it will require SSL, and the use
of encrypted passwords in CREATE/ALTER ROLE will have to be
disabled.
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | KaiGai Kohei | 2009-10-19 07:27:25 | Re: Reworks for Access Control facilities (r2363) |
| Previous Message | Heikki Linnakangas | 2009-10-19 07:01:50 | Re: Reworks for Access Control facilities (r2363) |