On Mon, Sep 28, 2009 at 4:38 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > "Albe Laurenz" <laurenz.a...@wien.gv.at> writes: >> Tom Lane wrote: >>> Actually there's a much bigger problem with asking the backend to reject >>> weak passwords: what ya gonna do with a pre-MD5'd string? Which is >>> exactly what the backend is going to always get, in a security-conscious >>> environment. > >> I'm thinking of the case where somebody changes his or her >> password interactively on the command line, with pgAdmin III, >> or similar. People would hardly use the above in that case, > > Really? If pgAdmin has a password-change function that doesn't use > client-side password encryption then somebody should file a bug against > it. Sending unencrypted passwords exposes the password at least to the > postmaster logfile. createuser has been doing encryption, unless > specifically commanded not to, for a long time.
pgAdmin MD5's the passwords if you use the GUI to change them, or when add a user. It doesn't make any attempt to parse the SQL if you enter it yourself in the query tool though (nor is it going to). -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
