Re: Rejecting weak passwords

On 10/15/2009 03:54 AM, Dave Page wrote:
> On Wed, Oct 14, 2009 at 11:21 PM, Mark Mielke<mark@mark.mielke.cc>  wrote:
>    
>> On 10/14/2009 05:33 PM, Dave Page wrote:
>>      
>>> No. Any checks at the client are worthless, as they can be bypassed by
>>> 10 minutes worth of simple coding in any of a dozen or more languages.
>>>
>>>        
>> Why care?
>>      
> Because many large (and small for that matter) organisations also have
> security policies which mandate the enforcement of specific password
> policies. Just because you think it's worthless to try to prevent
> someone reusing a password, or using 'password' doesn't mean that
> everyone else does. Some organisations will use such a feature in a
> box-ticking exercise when evaluating, and others may actually decide
> to use the feature, and expect it to work effectively.
>
> Beside, we are not in the habit of putting half-arsed features in
> PostgreSQL. If we do something, we do it properly.
>    

You miss my point (and conveniently cut it out). For users who 
accidentally break policy vs users who purposefully circumvent policy - 
the approaches must be different, and the risk management decision may 
be different.

It's a lot easier to circumvent policy than most people (management 
specifically) realize. If your attempt it to absolutely prevent a 
determined competent individual from circumventing your policy - you 
need to do a LOT MORE than what you are suggesting.

If you just want to prevent accidents - having the client software do 
the checks is fine.

Cheers,
mark

-- 
Mark Mielke<mark@mielke.cc>