| From: | Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com> |
|---|---|
| To: | Mark Mielke <mark(at)mark(dot)mielke(dot)cc> |
| Cc: | Dave Page <dpage(at)pgadmin(dot)org>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Marko Kreen <markokr(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Greg Stark <gsstark(at)mit(dot)edu>, Bruce Momjian <bruce(at)momjian(dot)us>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, mlortiz <mlortiz(at)uci(dot)cu>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
| Subject: | Re: Rejecting weak passwords |
| Date: | 2009-10-15 16:59:50 |
| Message-ID: | 4AD75506.4000802@cheapcomplexdevices.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Mark Mielke wrote:
> On 10/15/2009 10:08 AM, Dave Page wrote:
>> ...other
>> DBMSs (and all major operating systems I can think of) offer password
>> policy features as non-client checks...we are compared ...
>
> Not so clear to me. If they're doing strong checks, this means they're
> sending passwords in the clear or only barely encoded, or using some
> OTHER method than 'alter role ... password ...' to change the password.
This makes it sounds like a documentation problem to me.
We need to educate the security-feature-checklist writers.
It seems we need to clearly spell out the security risks of sending
plain text passwords in the section where we would state the reason
why the checks are done in the client - and then hopefully the
security checklists writers will include "only sends encrypted
passwords" as a checkbox on the product comparison charts.
And if server-side checks are that important, perhaps the wiki needs
an example of how to enable server-side check for popular GSSAPI
or LDAP or PAM configurations and describe how to make postgres
use those.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Josh Berkus | 2009-10-15 17:17:06 | Re: Rejecting weak passwords |
| Previous Message | Dave Page | 2009-10-15 16:41:34 | Re: Rejecting weak passwords |