"Albe Laurenz" <laurenz.a...@wien.gv.at> writes: > Tom Lane wrote: >> Actually there's a much bigger problem with asking the backend to reject >> weak passwords: what ya gonna do with a pre-MD5'd string? Which is >> exactly what the backend is going to always get, in a security-conscious >> environment.
> I'm thinking of the case where somebody changes his or her > password interactively on the command line, with pgAdmin III, > or similar. People would hardly use the above in that case, Really? If pgAdmin has a password-change function that doesn't use client-side password encryption then somebody should file a bug against it. Sending unencrypted passwords exposes the password at least to the postmaster logfile. createuser has been doing encryption, unless specifically commanded not to, for a long time. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers