Re: Rejecting weak passwords - Mailing list pgsql-hackers

From Robert Haas
Subject Re: Rejecting weak passwords
Date
Msg-id 603c8f070910200707r7dfd75f6kdbc7f46c0998d763@mail.gmail.com
Whole thread Raw
In response to Re: Rejecting weak passwords  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
On Tue, Oct 20, 2009 at 9:42 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> 2009/10/19 Tom Lane <tgl@sss.pgh.pa.us>:
>>> Now we have a user with name equal to password, which no sane security
>>> policy will think is a good thing, but the plugin had no chance to
>>> prevent it.
>
>> The big difference is that you need to be superuser to change the name
>> of a user, but not to change your own password.
>
> True, but the superuser doesn't necessarily know what the user has
> set his password to.

Yeah, but I'm not sure this case is worth worrying about.  People who
actually care password security are likely to have checks that are
substantially stronger than "!= username".

...Robert


pgsql-hackers by date:

Previous
From: "Greg Sabino Mullane"
Date:
Subject: Re: Could postgres be much cleaner if a future release skipped backward compatibility?
Next
From: Robert Haas
Date:
Subject: Re: Could postgres be much cleaner if a future release skipped backward compatibility?