Re: Rejecting weak passwords

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at>
Cc: "Dave Page" <dpage(at)pgadmin(dot)org>, "Andrew Dunstan" <andrew(at)dunslane(dot)net>, "mlortiz" <mlortiz(at)uci(dot)cu>, "Magnus Hagander" <magnus(at)hagander(dot)net>, "pgsql-hackers" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Rejecting weak passwords
Date: 2009-09-29 13:48:46
Message-ID: 7191.1254232126@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

"Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> writes:
> I thought about it some more, and I think that a password checking
> hook might still be somewhat useful even for MD5-encrypted passwords;
> the function could guess and exclude at least that dreadful
> all-too-frequent case of username = password.

True. You could probably even run through a moderate-size dictionary
of weak passwords, depending on how long you're willing to make the
user wait. (CHECK_FOR_INTERRUPTS inside the loop would be polite ;-))

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Jim Cox 2009-09-29 13:58:08 Re: [PATCH] 8.5 TODO: Add comments to output indicating version of pg_dump and of the database server
Previous Message Robert Haas 2009-09-29 13:41:58 Re: [PATCH] Reworks for Access Control facilities (r2311)