Home > mailing lists

Re: Rejecting weak passwords - Mailing list pgsql-hackers

From	Albe Laurenz
Subject	Re: Rejecting weak passwords
Date	October 19, 2009 04:14:25
Msg-id	D960CB61B694CF459DCFB4B0128514C203937FB7@exadv11.host.magwien.gv.at Whole thread Raw
In response to	Re: Rejecting weak passwords (Bruce Momjian <bruce@momjian.us>)
Responses	Re: Rejecting weak passwords Re: Rejecting weak passwords
List	pgsql-hackers

Tree view

Bruce Momjian wrote:
> Great, added to TODO:
>
>     Allow server-side enforcement of password policies
>
>         Password checks might include password complexity or non-reuse of
>     passwords. This facility will require the client to send the password to
>     the server in plain-text, so SSL and 'password' authentication is
>     necessary to use this features.

I don't get why you need 'password' authentication for that.
The point where the password should be checked is not when
the user uses it to logon, but when he or she changes it.

So in my opinion that should be:
This facility will require to send new and changed password to
the server in plain-text, so it will require SSL, and the use
of encrypted passwords in CREATE/ALTER ROLE will have to be
disabled.

Yours,
Laurenz Albe

pgsql-hackers by date:

From: Heikki Linnakangas
Date: 19 October 2009, 04:02:08
Subject: Re: Reworks for Access Control facilities (r2363)

From: KaiGai Kohei
Date: 19 October 2009, 04:28:32
Subject: Re: Reworks for Access Control facilities (r2363)

Re: Rejecting weak passwords - Mailing list pgsql-hackers

Previous

Next