| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Dave Page <dpage(at)pgadmin(dot)org>, Andrew Dunstan <andrew(at)dunslane(dot)net>, mlortiz <mlortiz(at)uci(dot)cu>, Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Rejecting weak passwords |
| Date: | 2009-09-29 14:18:34 |
| Message-ID: | 603c8f070909290718rc79dde5re3282d9e5c3340cb@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Sep 29, 2009 at 9:48 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> writes:
>> I thought about it some more, and I think that a password checking
>> hook might still be somewhat useful even for MD5-encrypted passwords;
>> the function could guess and exclude at least that dreadful
>> all-too-frequent case of username = password.
>
> True. You could probably even run through a moderate-size dictionary
> of weak passwords, depending on how long you're willing to make the
> user wait. (CHECK_FOR_INTERRUPTS inside the loop would be polite ;-))
But how much value is there in that? This whole thing seems like a
dead end to me. No matter how long you're willing to wait, putting
the checking on the client side will let you far more validation for
the same price.
...Robert
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2009-09-29 14:21:45 | Re: Unicode UTF-8 table formatting for psql text output |
| Previous Message | Stef Walter | 2009-09-29 13:59:31 | Re: pg_hba.conf: samehost and samenet [REVIEW] |