Re: Rejecting weak passwords

On Tue, Sep 29, 2009 at 9:48 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> "Albe Laurenz" <laurenz.albe@wien.gv.at> writes:
>> I thought about it some more, and I think that a password checking
>> hook might still be somewhat useful even for MD5-encrypted passwords;
>> the function could guess and exclude at least that dreadful
>> all-too-frequent case of username = password.
>
> True.  You could probably even run through a moderate-size dictionary
> of weak passwords, depending on how long you're willing to make the
> user wait.  (CHECK_FOR_INTERRUPTS inside the loop would be polite ;-))

But how much value is there in that?  This whole thing seems like a
dead end to me.  No matter how long you're willing to wait, putting
the checking on the client side will let you far more validation for
the same price.

...Robert