Re: Password strength requirements

On Dec 21, 2006, at 7:08 AM, Tomasz Ostrowski wrote:

> I'm working on a project which needs to satisfy some legal
> requirements for password strength. But any postgresql user can do;
>     alter role [session_user] password 'foo';
>
> Is there any way to disallow self changing of password by ordinary
> users? Or force password strength in any other way?

If you check http://www.postgresql.org/docs/8.2/static/client-
authentication.html
you'll see a bunch of different ways to authenticate users. Most of
them are
external to the database, so don't allow changing the password from
within
the database.

One of those should satisfy your needs - PAM in particular allows you to
plugin a huge variety of backends to provide a lot of different
behaviors.

Cheers,
   Steve