Peter Eisentraut wrote:
>> I don't get why you need 'password' authentication for that.
>> The point where the password should be checked is not when
>> the user uses it to logon, but when he or she changes it.
>>
>> So in my opinion that should be:
>> This facility will require to send new and changed password to
>> the server in plain-text, so it will require SSL, and the use
>> of encrypted passwords in CREATE/ALTER ROLE will have to be
>> disabled.
>
> Note that this solution will still not satisfy the original checkbox
> requirement.
I guess I misunderstood something there, but I had assumed that the
checkbox item read something like: "Does the product offer password
policy enforcement?" (to quote Dave Page).
I understood that to mean "does the server check if a new password
complies with a certain set of rules".
Yours,
Laurenz Albe
