On Tue, Oct 20, 2009 at 9:42 AM, Tom Lane <[email protected]> wrote: > Magnus Hagander <[email protected]> writes: >> 2009/10/19 Tom Lane <[email protected]>: >>> Now we have a user with name equal to password, which no sane security >>> policy will think is a good thing, but the plugin had no chance to >>> prevent it. > >> The big difference is that you need to be superuser to change the name >> of a user, but not to change your own password. > > True, but the superuser doesn't necessarily know what the user has > set his password to.
Yeah, but I'm not sure this case is worth worrying about. People who actually care password security are likely to have checks that are substantially stronger than "!= username". ...Robert -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
