Re: [HACKERS] Enhancements to passwordcheck

On Thu, Sep 28, 2017 at 12:06 AM, Alvaro Herrera
<alvherre@alvh.no-ip.org> wrote:
> I think a password strength check must live at the end that does the
> encryption -- something like in psql when you do the \password command,
> *before* the encrypted password is sent to the server.  Then you can do
> all sort of stuff (... except check for password history).
>
> I think the passwordcheck module as a whole is a dead end, security-
> wise.  Myself, I've never seen the point in it.  It runs at the wrong
> time, and there's no way to fix that.

Client commands may be run on a trusted network as well, let's not
forget that. But I definitely agree that this is bad practice in
general to not hash passwords beforehand. Another thing that
passwordcheck is good at is being an example of hook use. I would
think that many people refer to it when implementing their own module
for whatever they want.
-- 
Michael


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers