| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Rejecting weak passwords |
| Date: | 2009-10-20 14:07:31 |
| Message-ID: | 603c8f070910200707r7dfd75f6kdbc7f46c0998d763@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Oct 20, 2009 at 9:42 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> 2009/10/19 Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>:
>>> Now we have a user with name equal to password, which no sane security
>>> policy will think is a good thing, but the plugin had no chance to
>>> prevent it.
>
>> The big difference is that you need to be superuser to change the name
>> of a user, but not to change your own password.
>
> True, but the superuser doesn't necessarily know what the user has
> set his password to.
Yeah, but I'm not sure this case is worth worrying about. People who
actually care password security are likely to have checks that are
substantially stronger than "!= username".
...Robert
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2009-10-20 14:14:45 | Re: Could postgres be much cleaner if a future release skipped backward compatibility? |
| Previous Message | Greg Sabino Mullane | 2009-10-20 14:07:03 | Re: Could postgres be much cleaner if a future release skipped backward compatibility? |