On Mon, 2009-10-19 at 09:14 +0200, Albe Laurenz wrote:
> Bruce Momjian wrote:
> > Great, added to TODO:
> >
> > Allow server-side enforcement of password policies
> >
> > Password checks might include password complexity or non-reuse of
> > passwords. This facility will require the client to send the password to
> > the server in plain-text, so SSL and 'password' authentication is
> > necessary to use this features.
>
> I don't get why you need 'password' authentication for that.
> The point where the password should be checked is not when
> the user uses it to logon, but when he or she changes it.
>
> So in my opinion that should be:
> This facility will require to send new and changed password to
> the server in plain-text, so it will require SSL, and the use
> of encrypted passwords in CREATE/ALTER ROLE will have to be
> disabled.
Note that this solution will still not satisfy the original checkbox
requirement.
