Tom Lane wrote: > Robert Haas <robertmh...@gmail.com> writes: > > If we were using some kind of real public key system and someone > > suggested breaking it to add password complexity checking, I would > > understand the outrage here. But I don't understand why everyone is > > so worked up about having an *optional* *flag* to force plaintext > > instead of MD5. I might be wrong here, but can't a determined > > attacker brute-force an MD5 anyway? The very fact that people are > > suggesting that password checking might be feasible even on a > > pre-MD5'd password by using a dictionary suggests that we're not > > getting a whole lot of real security here. And even if not, dude, > > it's an *optional* *flag*. > > Yes, and it's an optional flag that could perfectly well be implemented > in the plugin that I think we do have consensus to add a hook for. > The argument is over why do we need to litter the core system with it.
So, are we agreed to provide a hook on the server side, but to use it you have to configure your system with SSL and 'password'? I can add that to the TODO list. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
