Re: Parametrization minimum password lenght

Bertrand Drouvot Wed, 18 Dec 2024 23:26:02 -0800

Hi,

On Wed, Dec 18, 2024 at 02:56:24PM -0600, Nathan Bossart wrote:
> Here is what I have staged for commit.


Thanks!

A few comments:

=== 1

+  if (pwdlen < min_password_length)
           ereport(ERROR,
                   (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
                    errmsg("password is too short")));

Now that the minimum password length is not "hardcoded" anymore, I wonder if it
wouldn't be better to provide more details here (pwdlen and 
min_password_length).

Suggestion in on_top_of_0001.txt attached.

=== 2

+       /* Define custom GUC variables. */
+       DefineCustomIntVariable("passwordcheck.min_password_length",
+                                                       "Minimum allowed 
password length.",
+                                                       NULL,
+                                                       &min_password_length,
+                                                       8,
+                                                       0, INT_MAX,

Since password must contain both letters and nonletters, 0 seems too low. I
wonder if 2 is not a better value (done in on_top_of_0001.txt attached).

Also, it seems to me that INT_MAX is too large (as mentioned in [1]), but that's
probably a nit.

[1]: 
https://www.postgresql.org/message-id/Zzzmw4IAvrypmFO4%40ip-10-97-1-34.eu-west-3.compute.internal

Regards,

-- 
Bertrand Drouvot
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com

diff --git a/contrib/passwordcheck/expected/passwordcheck.out 
b/contrib/passwordcheck/expected/passwordcheck.out
index ad1ac400ba..5d7a9496c9 100644
--- a/contrib/passwordcheck/expected/passwordcheck.out
+++ b/contrib/passwordcheck/expected/passwordcheck.out
@@ -5,7 +5,7 @@ CREATE USER regress_passwordcheck_user1;
 ALTER USER regress_passwordcheck_user1 PASSWORD 'a_nice_long_password';
 -- error: too short
 ALTER USER regress_passwordcheck_user1 PASSWORD 'tooshrt';
-ERROR:  password is too short
+ERROR:  password is too short: 7 (< 8)
 -- ok
 SET passwordcheck.min_password_length = 6;
 ALTER USER regress_passwordcheck_user1 PASSWORD 'v_shrt';
diff --git a/contrib/passwordcheck/passwordcheck.c 
b/contrib/passwordcheck/passwordcheck.c
index a0103806d0..5027fa35c8 100644
--- a/contrib/passwordcheck/passwordcheck.c
+++ b/contrib/passwordcheck/passwordcheck.c
@@ -97,7 +97,7 @@ check_password(const char *username,
                if (pwdlen < min_password_length)
                        ereport(ERROR,
                                        
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-                                        errmsg("password is too short")));
+                                        errmsg("password is too short: %d (< 
%d)", pwdlen, min_password_length)));
 
                /* check if the password contains the username */
                if (strstr(password, username))
@@ -149,7 +149,7 @@ _PG_init(void)
                                                        NULL,
                                                        &min_password_length,
                                                        8,
-                                                       0, INT_MAX,
+                                                       2, INT_MAX,
                                                        PGC_SUSET,
                                                        GUC_UNIT_BYTE,
                                                        NULL, NULL, NULL);

Re: Parametrization minimum password lenght

Reply via email to