On Thu, Oct 15, 2009 at 6:17 PM, Josh Berkus <j...@agliodbs.com> wrote:
> Enabling the inclusion of a password checker in the client *would* > improve things by preventing stupid users from setting their password > the same as their username, or to a 3-letter word, or anything equally > stupid which can be checked in a contextless way. This would be an > real, incremental improvement *without* breaking anything else. And > presumably would help our checkboxyness. What client? For the vast majority of users, what you're proposing is 'do it yourself'. Most people don't use pgAdmin or psql. > But I've seen nothing in Dave's other proposals which would *actually* Actually, I made just one proposal, to complement a patch that has already been submitted. > improve password security as opposed to doing exactly the opposite > Requiring passwords to be sent unhashed over the wire so that they can > be checked on the server is like making sure that your front door is > always locked by giving keys to everyone you meet. As Peter pointed out, it's already game-over if you're worried about the DBA. For other cases, I was clear that SSL should be expected. > In fact, given Dave's pursuit of a specific set of requirements, I think My only request was for server-side password policy enforcement, and a way to ensure users/DBAs could use pgAdmin to manage those passwords. > he has *one* specific client in mind rather than a generalized > requirement. For my part, I've not in 10 years had anyone ask me for > password checking in Postgres as an evaluation criteron. Encrypted > data, yes. I don't deal with prospective clients, which is where this comes from. I do deal with a team of (pre)sales engineers who complain about this, and maybe half-a-dozen other issues on a very regular basis. They tell me that PostgreSQL loses out in early stages of tech evals because of this issue, and I have no reason to disbelieve them. Sure it's almost certainly not the only reason, but they add up. And yes, data encryption is one of the other checkbox items that they bleat about. -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
