On Fri, Sep 12, 2008 at 10:08:56AM +0200, Markus Schiltknecht wrote: > Hi, > > David Fetter wrote: >> I'm all for something, and that's a much better something. What we >> have now--nothing--actively distresses newbies for no good reason. >> >> I don't know how many people we've lost right at that point, but >> the number has to be high, as most people don't just hop into IRC >> with their problem. > > Maybe something much more specific, i.e. triggering only if one > tried to connect via localhost or unix sockets, and only if one > tried to authenticate as 'root' without a password.
It's not the root part that confuses people, but the entire message. > The hint shoud IMO say something like: "The default superuser is > postgres, not root". Something that's useful for this specific case > and doesn't disturb in others. And something that's public > knowledge, which any reasonably serious attacker already knows > anyway. I, too, disagree with the "security by obscurity" approach to auth error messages. A system cracker will not be deterred by any such a thing, but a new user can easily be. Cheers, David. -- David Fetter <[EMAIL PROTECTED]> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: [EMAIL PROTECTED] Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers