Re: Rejecting weak passwords

On Thu, Oct 15, 2009 at 2:49 PM, Kevin Grittner
<Kevin(dot)Grittner(at)wicourts(dot)gov> wrote:
> Dave Page <dpage(at)pgadmin(dot)org> wrote:
>> On Wed, Oct 14, 2009 at 10:51 PM, Kevin Grittner
>
>>> bigger problems, like that slip of paper in their desk drawer with
>>> the password written on it.
>
>> See my previous comment about dates. Check-box items aside, I have
>> absolutely no desire to try to give the illusion of a security
>> feature, when in reality any user could easily bypass it.
>
> I think you missed my point -- if you want to try to block the user
> from compromising their *own* password, you can't.  They can tell
> anybody they want, write it on a slip of paper stuck to their terminal
> (yes, I've seen that), let it loose any other way they want.  Why
> focus on one (rather unlikely) way that a user could compromise their
> own password when there are so many other ways, much easier and more
> likely to actually happen, which are totally out of our control?

It's certainly true that there are other ways for users to compromise
their passwords if they want. The fact remains though, that most other
DBMSs (and all major operating systems I can think of) offer password
policy features as non-client checks which are difficult, if not
impossible for the user to bypass. Clearly other people think it's
important to do this, and we are compared against their products on a
daily basis, so if we want to compete with them on a level playing
field we need at least a comparable feature set.

--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com