Re: Rejecting weak passwords

Bruce Momjian wrote:
> Great, added to TODO:
>
>     Allow server-side enforcement of password policies
>
>         Password checks might include password complexity or non-reuse of
>     passwords. This facility will require the client to send the password to
>     the server in plain-text, so SSL and 'password' authentication is
>     necessary to use this features.

I don't get why you need 'password' authentication for that.
The point where the password should be checked is not when
the user uses it to logon, but when he or she changes it.

So in my opinion that should be:
This facility will require to send new and changed password to
the server in plain-text, so it will require SSL, and the use
of encrypted passwords in CREATE/ALTER ROLE will have to be
disabled.

Yours,
Laurenz Albe