Re: passwordcheck module problem
| От | Laurenz Albe |
|---|---|
| Тема | Re: passwordcheck module problem |
| Дата | |
| Msg-id | 0894d13fd95ecbf6bbde010bd13f50f735216e29.camel@cybertec.at обсуждение исходный текст |
| Ответ на | passwordcheck module problem (Zaur Hajili <zaurhajili@gmail.com>) |
| Список | pgsql-www |
On Thu, 2024-02-15 at 16:20 +0400, Zaur Hajili wrote: > recently one of dba course students informed me about problem of passwordcheck module. > > I cannot imagine that it is not a known issue, but if this is the known issue, > then passwordcheck module loses all its functionality. > > Problem is, when a user changes its password via \password (psql meta command) > command, it can set any simple password successfuly. > > Tested in versions 14,15,16. same behavior. > > Postgres must check the password before converting to hash, it is clear that after > hash it cannot detect the weakness. That is clearly off-topic for the WWW list. The limitation is well known, see the "Caution" in the documentation of the module or the discussion that led to the module: https://www.postgresql.org/message-id/flat/D960CB61B694CF459DCFB4B0128514C203937F49%40exadv11.host.magwien.gv.at It is catch 22: the only entity that sees the clear text password and can check it is the client, and the server cannot trust the client. Yours, Laurenz Albe
В списке pgsql-www по дате отправления: