Re: Rejecting weak passwords

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Rejecting weak passwords
Date: 2009-10-20 07:11:24
Message-ID: 9837222c0910200011x24759f9awe138e7ffa6b202d@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

2009/10/19 Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>:
> I wrote:
>> A server-side plugin can provide a guarantee that there are no bad
>> passwords (for some value of bad, and with some possible adverse
>> consequences).  We don't have that today.
>
> BTW, it strikes me that ALTER USER RENAME introduces an interesting
> hazard for such a plugin.  Consider
>
> CREATE USER joe;
> ALTER USER joe PASSWORD joe;  -- presumably, plugin will reject this
> ALTER USER joe PASSWORD mumblefrotz;  -- assume this is considered OK
> ALTER USER joe RENAME TO mumblefrotz;
>
> Now we have a user with name equal to password, which no sane security
> policy will think is a good thing, but the plugin had no chance to
> prevent it.

The big difference is that you need to be superuser to change the name
of a user, but not to change your own password.

I know for example the Windows password policy thing has the same
issue - if you rename the user, it doesn't have the password around to
check, but you are an administrator so that's considered ok.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Heikki Linnakangas 2009-10-20 07:33:56 Re: Hot standby, pausing recovery
Previous Message Heikki Linnakangas 2009-10-20 06:57:26 Re: Could postgres be much cleaner if a future release skipped backward compatibility?