| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Fernando Grijalba <jfercan(at)yahoo(dot)com> |
| Cc: | pgsql-interfaces(at)postgresql(dot)org |
| Subject: | Re: Reset expired password from .NET |
| Date: | 2006-05-30 23:02:11 |
| Message-ID: | 4868.1149030131@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-interfaces |
Fernando Grijalba <jfercan(at)yahoo(dot)com> writes:
> I just realized that Postgresql does not differentiate between an invalid username/password or an expired password when it gives you the error message.
That's intentional. Per the comments in auth.c:
* Tell the user the authentication failed, but not (much about) why.
*
* There is a tradeoff here between security concerns and making life
* unnecessarily difficult for legitimate users. We would not, for example,
* want to report the password we were expecting to receive...
* But it seems useful to report the username and authorization method
* in use, and these are items that must be presumed known to an attacker
* anyway.
* Note that many sorts of failure report additional information in the
* postmaster log, which we hope is only readable by good guys.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | ljb | 2006-05-31 01:19:04 | Re: Building psql.exe using the free Borland compiler |
| Previous Message | Fernando Grijalba | 2006-05-30 20:48:28 | Reset expired password from .NET |