Skip site navigation (1) Skip section navigation (2)

Re: Rejecting weak passwords

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Dave Page <dpage(at)pgadmin(dot)org>, Andrew Dunstan <andrew(at)dunslane(dot)net>, mlortiz <mlortiz(at)uci(dot)cu>, Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Rejecting weak passwords
Date: 2009-09-29 14:18:34
Message-ID: 603c8f070909290718rc79dde5re3282d9e5c3340cb@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On Tue, Sep 29, 2009 at 9:48 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> writes:
>> I thought about it some more, and I think that a password checking
>> hook might still be somewhat useful even for MD5-encrypted passwords;
>> the function could guess and exclude at least that dreadful
>> all-too-frequent case of username = password.
>
> True.  You could probably even run through a moderate-size dictionary
> of weak passwords, depending on how long you're willing to make the
> user wait.  (CHECK_FOR_INTERRUPTS inside the loop would be polite ;-))

But how much value is there in that?  This whole thing seems like a
dead end to me.  No matter how long you're willing to wait, putting
the checking on the client side will let you far more validation for
the same price.

...Robert

In response to

Responses

pgsql-hackers by date

Next:From: Peter EisentrautDate: 2009-09-29 14:21:45
Subject: Re: Unicode UTF-8 table formatting for psql text output
Previous:From: Stef WalterDate: 2009-09-29 13:59:31
Subject: Re: pg_hba.conf: samehost and samenet [REVIEW]

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group