On Thu, Oct 15, 2009 at 5:28 PM, Mark Mielke <m...@mark.mielke.cc> wrote: > > Not so clear to me. If they're doing strong checks, this means they're > sending passwords in the clear or only barely encoded, or using some OTHER > method than 'alter role ... password ...' to change the password.
Some are sending them in the clear (though often over SSL connections). > Point being - if you think this is absolutely important to do - don't go +5% > of the way - go 100% of the way. Exactly - that's why I want to see a check in the server, not the client which should get to 95%. I also happen to agree with Magnus that the only really secure way to do this on outside of SQL, but I can't see us dropping ALTER USER ... WITH PASSWORD in a hurry. > Then again, I'm not so concerned about what arbitrary criteria some person > defines as "what makes a good database system". I'm more concerned with what > makes the system better for *me*. I don't see how this entire thread helps > *me* in any way - and I do understand the need for strong passwords - and my > company *does* have policies that require strong passwords. Even if the > plugin is provided - I'm not going to activate it. I already have a policy > for setting strong passwords that I already follow. That's an excellent point. It probably doesn't make any difference to you or many of the other people on this list who are concerned with running their own systems and may already use other techniques, such as LDAP, SSPI etc. A not-insignificant percentage of the people here are not concerned with running their own systems though. They are working to help new users adopt PostgreSQL, and make a living selling services or support to those users. Sometimes that can be for huge projects, where it is necessary to justify every difference in check-box items against other products to get past the early eval stages. Like it or not, that is a fact, and this hampers our adoption. -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers