From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Rejecting weak passwords |
Date: | 2009-10-20 07:11:24 |
Message-ID: | 9837222c0910200011x24759f9awe138e7ffa6b202d@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
2009/10/19 Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>:
> I wrote:
>> A server-side plugin can provide a guarantee that there are no bad
>> passwords (for some value of bad, and with some possible adverse
>> consequences). We don't have that today.
>
> BTW, it strikes me that ALTER USER RENAME introduces an interesting
> hazard for such a plugin. Consider
>
> CREATE USER joe;
> ALTER USER joe PASSWORD joe; -- presumably, plugin will reject this
> ALTER USER joe PASSWORD mumblefrotz; -- assume this is considered OK
> ALTER USER joe RENAME TO mumblefrotz;
>
> Now we have a user with name equal to password, which no sane security
> policy will think is a good thing, but the plugin had no chance to
> prevent it.
The big difference is that you need to be superuser to change the name
of a user, but not to change your own password.
I know for example the Windows password policy thing has the same
issue - if you rename the user, it doesn't have the password around to
check, but you are an administrator so that's considered ok.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Heikki Linnakangas | 2009-10-20 07:33:56 | Re: Hot standby, pausing recovery |
Previous Message | Heikki Linnakangas | 2009-10-20 06:57:26 | Re: Could postgres be much cleaner if a future release skipped backward compatibility? |