Skip site navigation (1) Skip section navigation (2)

Re: Rejecting weak passwords

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Dave Page <dpage(at)pgadmin(dot)org>, mlortiz <mlortiz(at)uci(dot)cu>, Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Rejecting weak passwords
Date: 2009-09-29 14:47:08
Message-ID: 4AC21DEC.5010901@dunslane.net (view raw or flat)
Thread:
Lists: pgsql-hackers

Robert Haas wrote:
> On Tue, Sep 29, 2009 at 9:48 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>   
>> "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> writes:
>>     
>>> I thought about it some more, and I think that a password checking
>>> hook might still be somewhat useful even for MD5-encrypted passwords;
>>> the function could guess and exclude at least that dreadful
>>> all-too-frequent case of username = password.
>>>       
>> True.  You could probably even run through a moderate-size dictionary
>> of weak passwords, depending on how long you're willing to make the
>> user wait.  (CHECK_FOR_INTERRUPTS inside the loop would be polite ;-))
>>     
>
> But how much value is there in that?  This whole thing seems like a
> dead end to me.  No matter how long you're willing to wait, putting
> the checking on the client side will let you far more validation for
> the same price.
>
>
>   

Why do we need to answer that question? If all we do is provide a hook, 
the cost is very low, and the decision on value is left to whoever is 
deploying some module to use the hook. And it will let people possibly 
implement some password security policy dictated by some PHB, and so 
check off a box on a form somewhere. Frankly, real security requires 
that you pretty much get out of the password game, but passwords will 
undoubtedly be around for a long time, since people will always trade 
security for convenience.

cheers

andrew

In response to

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2009-09-29 14:50:03
Subject: Re: Rejecting weak passwords
Previous:From: Peter EisentrautDate: 2009-09-29 14:21:45
Subject: Re: Unicode UTF-8 table formatting for psql text output

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group