Quick Links

Re: Rejecting weak passwords

From:	Alvaro Herrera <alvherre(at)commandprompt(dot)com>
To:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc:	Peter Eisentraut <peter_e(at)gmx(dot)net>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, Bruce Momjian EXTERN <bruce(at)momjian(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Mark Mielke <mark(at)mark(dot)mielke(dot)cc>, Dave Page <dpage(at)pgadmin(dot)org>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Marko Kreen <markokr(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Greg Stark <gsstark(at)mit(dot)edu>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, mlortiz <mlortiz(at)uci(dot)cu>
Subject:	Re: Rejecting weak passwords
Date:	2009-10-19 16:23:00
Message-ID:	20091019162300.GC3352@alvh.no-ip.org
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Tom Lane escribió:
> Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> > On Mon, 2009-10-19 at 14:54 +0200, Albe Laurenz wrote:
> >> I guess I misunderstood something there, but I had assumed that the
> >> checkbox item read something like: "Does the product offer password
> >> policy enforcement?" (to quote Dave Page).
>
> > The answer to that is currently "Yes, with external tools". Using the
> > plugin approach, the answer will remain "Yes, with external tools". So
> > we wouldn't gain much.
>
> Except that your first statement is false. It is not possible currently
> for any tool to prevent someone from doing ALTER USER joe PASSWORD joe.
> A server-side plugin can provide a guarantee that there are no bad
> passwords (for some value of bad, and with some possible adverse
> consequences). We don't have that today.

We do, if you have you server grabbing passwords from LDAP or whatever
external auth service you use. That would be more secure than anything
mentioned in this thread, because the password enforcement could work on
unencrypted passwords without adverse consequences.

--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

In response to

Re: Rejecting weak passwords at 2009-10-19 16:12:07 from Tom Lane

Responses

Re: Rejecting weak passwords at 2009-10-19 16:37:19 from Andrew Dunstan

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	David E. Wheeler	2009-10-19 16:25:02	Re: Controlling changes in plpgsql variable resolution
Previous Message	Tom Lane	2009-10-19 16:12:07	Re: Rejecting weak passwords