Skip site navigation (1) Skip section navigation (2)

Re: Rejecting weak passwords

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Rejecting weak passwords
Date: 2009-09-28 11:35:03
Message-ID: 4AC09F67.2090301@dunslane.net (view raw or flat)
Thread:
Lists: pgsql-hackers

Albe Laurenz wrote:
> Dear hackers,
>
> I have been thinking about ways to have PostgreSQL reject
> weak passwords.
>
> I think the standard recommendation is "use PAM and LDAP",
> but that requires the user to change the password outside
> of PostgreSQL. And who would want to setup and maintain an
> LDAP server just for this?
>
> Since everybody has different ideas what is a good password,
> there should be some way to configure that. I've looked at
> how Oracle does it, and they simply let you write a
> stored procedure that throws an exception if it doesn't
> like the password.
> Since users are on cluster level and functions live in
> databases, that won't work in PostgreSQL.
>
> I have come up with an idea or two and like to hear your
> opinion.
>
> 1) One could have a set of GUCs like min_password_length,
>    min_password_nonchars and similar that everybody
>    could configure. This is not extremely flexible though.
> 2) Another idea would be a GUC that contains a regular
>    expression that a password may *not* match.
>    Perhaps that's too limiting too.
> 3) I have also considered a GUC that points to a loadable
>    module that performs the password check if set.
>
>
>   

My vote is for #3, if anything.

cheers

andrew

In response to

Responses

pgsql-hackers by date

Next:From: Robert HaasDate: 2009-09-28 11:46:37
Subject: Re: syslog_line_prefix
Previous:From: Magnus HaganderDate: 2009-09-28 10:51:37
Subject: Re: syslog_line_prefix

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group