On Wed, Oct 14, 2009 at 9:50 PM, Kevin Grittner <kevin.gritt...@wicourts.gov> wrote: > Dave Page <dp...@pgadmin.org> wrote: > >> I said up front this was a box-ticking exercise for these folks, > > Can they check the box if the provided clients include password > strength checking? I'm just wondering if we're going at this the hard > way, if that really is the main goal.
No. Any checks at the client are worthless, as they can be bypassed by 10 minutes worth of simple coding in any of a dozen or more languages. > And, perhaps slightly off topic: if the login password is sent over a > non-encrypted stream, md5sum or not, can't someone use it to log in if > they're generating their own stream to connect? Discussions of which > is the more secure way to change passwords seems a little silly if > you're only worried about environments where someone can sniff any > login sequence and spoof the user anyway. No - see Tom's reply. >> (meh - who cares if we can store 2009-02-31 - it stores all the >> valid dates which are the ones that matter :-p ) > > Oh, now that's just trolling -- you really don't want to open that can > of worms again, do you? :-p Well, after 12+ years in these parts I figure anyone should get the privilege of a small dig once in a while :-) -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
