Re: Rejecting weak passwords

On Wed, Oct 14, 2009 at 10:28 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>
> I see three checks we are trying to do on passwords:
>
>        1) Password complexity enforcement/policies
>        2) Password history - you can't reuse a password
>        3) Account disable after X incorrect attempts

This whole discussion seems very strange to me. Surely any
organization with rules like this will want them to be system-wide and
will have already implemented them in their PAM and LDAP systems
(assuming their not using Kerberos or something like that anyways).
There's not much point in reinventing the wheel in the database when
a) we'll never be remotely as complete as the existing authentication
systems -- the above requirements only barely scratch the surface and
b) even if we were as complete as existing systems it would never be
integrated so there would be nothing stopping people from reusing
passwords from their login account or trying passwords a limited
number of times against each system to get many attempts in total.

Incidentally I'm extremely dubious of systems that implement your goal
#3. It seems like more of an obvious DOS attack vector than a security
improvement to me. There are better defense mechanisms for such
attacks such as preauth. One more argument why we shouldn't be
reimplementing the wheel in an area where don't have particularly good
experience.

--
greg