On 28 sep 2009, at 11.54, "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at>
> Dear hackers,
> I have been thinking about ways to have PostgreSQL reject
> weak passwords.
> I think the standard recommendation is "use PAM and LDAP",
> but that requires the user to change the password outside
> of PostgreSQL. And who would want to setup and maintain an
> LDAP server just for this?
> Since everybody has different ideas what is a good password,
> there should be some way to configure that. I've looked at
> how Oracle does it, and they simply let you write a
> stored procedure that throws an exception if it doesn't
> like the password.
> Since users are on cluster level and functions live in
> databases, that won't work in PostgreSQL.
> I have come up with an idea or two and like to hear your
> 1) One could have a set of GUCs like min_password_length,
> min_password_nonchars and similar that everybody
> could configure. This is not extremely flexible though.
> 2) Another idea would be a GUC that contains a regular
> expression that a password may *not* match.
> Perhaps that's too limiting too.
> 3) I have also considered a GUC that points to a loadable
> module that performs the password check if set.
> Are there better ways?
Isn't there some library we can link with and (conditionally) use? I
believe windows exposes api function(s) to let you verify password
complexity - I'm sure there is something similar available on unix,
hopefully included on most common platforms?
In response to
pgsql-hackers by date
|Next:||From: Abhijit Menon-Sen||Date: 2009-09-28 10:16:10|
|Subject: Re: plperl returning setof foo|
|Previous:||From: Itagaki Takahiro||Date: 2009-09-28 10:08:43|
|Subject: Re: CREATE LIKE INCLUDING COMMENTS and STORAGES|