Re: Rejecting weak passwords

Dave Page <dpage@pgadmin.org> wrote:
> I said up front this was a box-ticking exercise for these folks,
Can they check the box if the provided clients include password
strength checking?  I'm just wondering if we're going at this the hard
way, if that really is the main goal.
From the point of view of usefulness, wouldn't it be OK if clients
enforced the strength (or at least warned of weakness) *and* sent the
md5sum?
And, perhaps slightly off topic: if the login password is sent over a
non-encrypted stream, md5sum or not, can't someone use it to log in if
they're generating their own stream to connect?  Discussions of which
is the more secure way to change passwords seems a little silly if
you're only worried about environments where someone can sniff any
login sequence and spoof the user anyway.
> (meh - who cares if we can store 2009-02-31 - it stores all the
> valid dates which are the ones that matter :-p )
Oh, now that's just trolling -- you really don't want to open that can
of worms again, do you?   :-p
-Kevin