On Thu, Jan 23, 2014 at 10:39:34PM -0500, Tom Lane wrote:
> Bruce Momjian <bruce@momjian.us> writes:
> > I have developed the attached patch to fix this problem. Do I need to
> > say "invalid user or invalid or expired password"?
>
> I'm not convinced that this improves anything. The problem might not in
> fact be either of the things you mention, in which case the new message
> is outright misleading. Also, what of the policy stated in the header
> comment for the function you're hacking, ie we intentionally don't reveal
> the precise cause of the failure to the client?
Well, the only solution then would be to add some weasel words like
"perhaps expired password", but that seems so rare that I doubt it would
apply very often and seems like an odd suggestion. We could go with:
password authentication failed for user \"%s\": perhaps invalid or expired password
We did have two threads on this issue in the past 12 months so I figured
we should try to do something.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ Everyone has their own god. +