On Thu, Sep 28, 2017 at 12:06 AM, Alvaro Herrera <alvhe...@alvh.no-ip.org> wrote: > I think a password strength check must live at the end that does the > encryption -- something like in psql when you do the \password command, > *before* the encrypted password is sent to the server. Then you can do > all sort of stuff (... except check for password history). > > I think the passwordcheck module as a whole is a dead end, security- > wise. Myself, I've never seen the point in it. It runs at the wrong > time, and there's no way to fix that.
Client commands may be run on a trusted network as well, let's not forget that. But I definitely agree that this is bad practice in general to not hash passwords beforehand. Another thing that passwordcheck is good at is being an example of hook use. I would think that many people refer to it when implementing their own module for whatever they want. -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers