Re: Rejecting weak passwords

2009/10/19 Tom Lane <tgl@sss.pgh.pa.us>:
> I wrote:
>> A server-side plugin can provide a guarantee that there are no bad
>> passwords (for some value of bad, and with some possible adverse
>> consequences).  We don't have that today.
>
> BTW, it strikes me that ALTER USER RENAME introduces an interesting
> hazard for such a plugin.  Consider
>
> CREATE USER joe;
> ALTER USER joe PASSWORD joe;  -- presumably, plugin will reject this
> ALTER USER joe PASSWORD mumblefrotz;  -- assume this is considered OK
> ALTER USER joe RENAME TO mumblefrotz;
>
> Now we have a user with name equal to password, which no sane security
> policy will think is a good thing, but the plugin had no chance to
> prevent it.

The big difference is that you need to be superuser to change the name
of a user, but not to change your own password.

I know for example the Windows password policy thing has the same
issue - if you rename the user, it doesn't have the password around to
check, but you are an administrator so that's considered ok.


-- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/