Re: Rejecting weak passwords

Dave Page <dpage(at)pgadmin(dot)org> wrote:
> On Wed, Oct 14, 2009 at 10:51 PM, Kevin Grittner

>> bigger problems, like that slip of paper in their desk drawer with
>> the password written on it.

> See my previous comment about dates. Check-box items aside, I have
> absolutely no desire to try to give the illusion of a security
> feature, when in reality any user could easily bypass it.

I think you missed my point -- if you want to try to block the user
from compromising their *own* password, you can't. They can tell
anybody they want, write it on a slip of paper stuck to their terminal
(yes, I've seen that), let it loose any other way they want. Why
focus on one (rather unlikely) way that a user could compromise their
own password when there are so many other ways, much easier and more
likely to actually happen, which are totally out of our control?

If a simple client-side strength check would allow the box to be
checked, and would protect any user who isn't going out of their way
to let their password be abused, I'm not really understanding your
objection. Now, if it fails to cover the checkbox because it can't
check against the last three passwords used, that's another story, but
the server-side plugin can easily cover things like that.

And ultimately, if you really care about tight security rather than
checking off a box, other posts address how that can actually be done.

-Kevin