Re: Rejecting weak passwords - Mailing list pgsql-hackers

From Mark Mielke
Subject Re: Rejecting weak passwords
Date
Msg-id 4AD74DBD.7050900@mark.mielke.cc
Whole thread Raw
In response to Re: Rejecting weak passwords  (Dave Page <dpage@pgadmin.org>)
Responses Re: Rejecting weak passwords
Re: Rejecting weak passwords
List pgsql-hackers
On 10/15/2009 10:08 AM, Dave Page wrote:
> It's certainly true that there are other ways for users to compromise
> their passwords if they want. The fact remains though, that most other
> DBMSs (and all major operating systems I can think of) offer password
> policy features as non-client checks which are difficult, if not
> impossible for the user to bypass. Clearly other people think it's
> important to do this, and we are compared against their products on a
> daily basis, so if we want to compete with them on a level playing
> field we need at least a comparable feature set.
>    

Not so clear to me. If they're doing strong checks, this means they're 
sending passwords in the clear or only barely encoded, or using some 
OTHER method than 'alter role ... password ...' to change the password.

Point being - if you think this is absolutely important to do - don't go 
+5% of the way - go 100% of the way.

Then again, I'm not so concerned about what arbitrary criteria some 
person defines as "what makes a good database system". I'm more 
concerned with what makes the system better for *me*. I don't see how 
this entire thread helps *me* in any way - and I do understand the need 
for strong passwords - and my company *does* have policies that require 
strong passwords. Even if the plugin is provided - I'm not going to 
activate it. I already have a policy for setting strong passwords that I 
already follow.

Cheers,
mark

-- 
Mark Mielke<mark@mielke.cc>



pgsql-hackers by date:

Previous
From: Mark Mielke
Date:
Subject: Re: Rejecting weak passwords
Next
From: Mark Mielke
Date:
Subject: Re: Rejecting weak passwords