Dave Page <dpage@pgadmin.org> wrote:
> No. Any checks at the client are worthless, as they can be bypassed
> by 10 minutes worth of simple coding in any of a dozen or more
> languages.
Well, sure, but we're talking about a client going out of their way to
wrestle the point of the gun toward their own foot, aren't we? If
we're worried about the user compromising their own password, we have
bigger problems, like that slip of paper in their desk drawer with the
password written on it. I mean, I know some of these checklists can
be pretty brain-dead (I've been on both sides of the RFP process many
times), but it would seem over the top to say that client-side
password strength checks aren't OK for the reason you give.
-Kevin