Dave Page <dp...@pgadmin.org> wrote: > I said up front this was a box-ticking exercise for these folks, Can they check the box if the provided clients include password strength checking? I'm just wondering if we're going at this the hard way, if that really is the main goal. >From the point of view of usefulness, wouldn't it be OK if clients enforced the strength (or at least warned of weakness) *and* sent the md5sum? And, perhaps slightly off topic: if the login password is sent over a non-encrypted stream, md5sum or not, can't someone use it to log in if they're generating their own stream to connect? Discussions of which is the more secure way to change passwords seems a little silly if you're only worried about environments where someone can sniff any login sequence and spoof the user anyway. > (meh - who cares if we can store 2009-02-31 - it stores all the > valid dates which are the ones that matter :-p ) Oh, now that's just trolling -- you really don't want to open that can of worms again, do you? :-p -Kevin
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
