On Mon, 2009-10-19 at 09:14 +0200, Albe Laurenz wrote: > Bruce Momjian wrote: > > Great, added to TODO: > > > > Allow server-side enforcement of password policies > > > > Password checks might include password complexity or non-reuse of > > passwords. This facility will require the client to send the password to > > the server in plain-text, so SSL and 'password' authentication is > > necessary to use this features. > > I don't get why you need 'password' authentication for that. > The point where the password should be checked is not when > the user uses it to logon, but when he or she changes it. > > So in my opinion that should be: > This facility will require to send new and changed password to > the server in plain-text, so it will require SSL, and the use > of encrypted passwords in CREATE/ALTER ROLE will have to be > disabled.
Note that this solution will still not satisfy the original checkbox requirement. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
