Re: Rejecting weak passwords

From: "Kevin Grittner" <Kevin(dot)Grittner(at)wicourts(dot)gov>
To: "Dave Page" <dpage(at)pgadmin(dot)org>,"Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: "Andrew Dunstan" <andrew(at)dunslane(dot)net>, "Marko Kreen" <markokr(at)gmail(dot)com>, "Magnus Hagander" <magnus(at)hagander(dot)net>, "Greg Stark" <gsstark(at)mit(dot)edu>, "Bruce Momjian" <bruce(at)momjian(dot)us>, "pgsql-hackers" <pgsql-hackers(at)postgresql(dot)org>, "mlortiz" <mlortiz(at)uci(dot)cu>, "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at>
Subject: Re: Rejecting weak passwords
Date: 2009-10-14 20:50:46
Message-ID: 4AD5F356020000250002B93B@gw.wicourts.gov
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Dave Page <dpage(at)pgadmin(dot)org> wrote:

> I said up front this was a box-ticking exercise for these folks,

Can they check the box if the provided clients include password
strength checking? I'm just wondering if we're going at this the hard
way, if that really is the main goal.

>From the point of view of usefulness, wouldn't it be OK if clients
enforced the strength (or at least warned of weakness) *and* sent the
md5sum?

And, perhaps slightly off topic: if the login password is sent over a
non-encrypted stream, md5sum or not, can't someone use it to log in if
they're generating their own stream to connect? Discussions of which
is the more secure way to change passwords seems a little silly if
you're only worried about environments where someone can sniff any
login sequence and spoof the user anyway.

> (meh - who cares if we can store 2009-02-31 - it stores all the
> valid dates which are the ones that matter :-p )

Oh, now that's just trolling -- you really don't want to open that can
of worms again, do you? :-p

-Kevin

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2009-10-14 20:51:03 Re: Could regexp_matches be immutable?
Previous Message Tom Lane 2009-10-14 20:25:55 Re: Rejecting weak passwords