Skip site navigation (1) Skip section navigation (2)

Re: Rejecting weak passwords

From: "Ing(dot) Marcos L(dot) Ortí­z Valmaseda" <mlortiz(at)uci(dot)cu>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Rejecting weak passwords
Date: 2009-09-28 13:18:16
Message-ID: 4AC0B798.3040004@uci.cu (view raw or flat)
Thread:
Lists: pgsql-hackers
Andrew Dunstan escribió:
>
>
> Albe Laurenz wrote:
>> Dear hackers,
>>
>> I have been thinking about ways to have PostgreSQL reject
>> weak passwords.
>>
>> I think the standard recommendation is "use PAM and LDAP",
>> but that requires the user to change the password outside
>> of PostgreSQL. And who would want to setup and maintain an
>> LDAP server just for this?
>>
>> Since everybody has different ideas what is a good password,
>> there should be some way to configure that. I've looked at
>> how Oracle does it, and they simply let you write a
>> stored procedure that throws an exception if it doesn't
>> like the password.
>> Since users are on cluster level and functions live in
>> databases, that won't work in PostgreSQL.
>>
>> I have come up with an idea or two and like to hear your
>> opinion.
>>
>> 1) One could have a set of GUCs like min_password_length,
>>    min_password_nonchars and similar that everybody
>>    could configure. This is not extremely flexible though.
>> 2) Another idea would be a GUC that contains a regular
>>    expression that a password may *not* match.
>>    Perhaps that's too limiting too.
>> 3) I have also considered a GUC that points to a loadable
>>    module that performs the password check if set.
>>
>>
>>   
>
> My vote is for #3, if anything.
>
> cheers
>
> andrew
>
You have to analyze all points before to do this. I vote too for the 
third option, but you have to be clear that how do you ´ll check the 
weakness of the password:
1- For example: the length should be greater that 6 char..
2- The password should be have  a combination fo numbers, letters and 
others dots

Things like that you have to think very well, or to do a question to the 
list asking which are the best options.

I think the same about the PAM and LDAP auth

Regards

-- 
"DBAs must implements decisions based on the best fit of the application,DBMS, and platform
 ......for that reason.......I use PostgreSQL + Linux"

 Ing. Marcos L. Ortiz Valmaseda
 Línea Soporte y Despliegue
 Centro de Tecnologías de Almacenamiento y Análisis de Datos (CENTALAD)

 Linux User # 418229
 PostgreSQL User
 http://www.postgresql.org
 http://www.planetpostgresql.org/
 http://www.postgresql-es.org/


Attachment: mlortiz.vcf
Description: text/x-vcard (315 bytes)

In response to

Responses

pgsql-hackers by date

Next:From: Bill MoranDate: 2009-09-28 13:24:06
Subject: Re: Rejecting weak passwords
Previous:From: Stephen FrostDate: 2009-09-28 13:16:42
Subject: Re: Rejecting weak passwords

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group