| From: | "Kevin Grittner" <Kevin(dot)Grittner(at)wicourts(dot)gov> |
|---|---|
| To: | "Dave Page" <dpage(at)pgadmin(dot)org> |
| Cc: | "Andrew Dunstan" <andrew(at)dunslane(dot)net>, "Marko Kreen" <markokr(at)gmail(dot)com>, "Magnus Hagander" <magnus(at)hagander(dot)net>, "Greg Stark" <gsstark(at)mit(dot)edu>, "Bruce Momjian" <bruce(at)momjian(dot)us>, "pgsql-hackers" <pgsql-hackers(at)postgresql(dot)org>, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>,"mlortiz" <mlortiz(at)uci(dot)cu>, "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
| Subject: | Re: Rejecting weak passwords |
| Date: | 2009-10-14 21:51:19 |
| Message-ID: | 4AD60187020000250002B964@gw.wicourts.gov |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Dave Page <dpage(at)pgadmin(dot)org> wrote:
> No. Any checks at the client are worthless, as they can be bypassed
> by 10 minutes worth of simple coding in any of a dozen or more
> languages.
Well, sure, but we're talking about a client going out of their way to
wrestle the point of the gun toward their own foot, aren't we? If
we're worried about the user compromising their own password, we have
bigger problems, like that slip of paper in their desk drawer with the
password written on it. I mean, I know some of these checklists can
be pretty brain-dead (I've been on both sides of the RFP process many
times), but it would seem over the top to say that client-side
password strength checks aren't OK for the reason you give.
-Kevin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Josh Berkus | 2009-10-14 21:54:21 | Re: Could regexp_matches be immutable? |
| Previous Message | Kevin Grittner | 2009-10-14 21:45:51 | Re: Rejecting weak passwords |