Re: Rejecting weak passwords
| От | Peter Eisentraut |
|---|---|
| Тема | Re: Rejecting weak passwords |
| Дата | |
| Msg-id | 1255953075.19430.31.camel@fsopti579.F-Secure.com обсуждение исходный текст |
| Ответ на | Re: Rejecting weak passwords ("Albe Laurenz" <laurenz.albe@wien.gv.at>) |
| Ответы |
Re: Rejecting weak passwords
|
| Список | pgsql-hackers |
On Mon, 2009-10-19 at 09:14 +0200, Albe Laurenz wrote: > Bruce Momjian wrote: > > Great, added to TODO: > > > > Allow server-side enforcement of password policies > > > > Password checks might include password complexity or non-reuse of > > passwords. This facility will require the client to send the password to > > the server in plain-text, so SSL and 'password' authentication is > > necessary to use this features. > > I don't get why you need 'password' authentication for that. > The point where the password should be checked is not when > the user uses it to logon, but when he or she changes it. > > So in my opinion that should be: > This facility will require to send new and changed password to > the server in plain-text, so it will require SSL, and the use > of encrypted passwords in CREATE/ALTER ROLE will have to be > disabled. Note that this solution will still not satisfy the original checkbox requirement.
В списке pgsql-hackers по дате отправления: