On 10/15/2009 03:54 AM, Dave Page wrote:
On Wed, Oct 14, 2009 at 11:21 PM, Mark Mielke<m...@mark.mielke.cc> wrote:
On 10/14/2009 05:33 PM, Dave Page wrote:
No. Any checks at the client are worthless, as they can be bypassed by
10 minutes worth of simple coding in any of a dozen or more languages.
Why care?
Because many large (and small for that matter) organisations also have
security policies which mandate the enforcement of specific password
policies. Just because you think it's worthless to try to prevent
someone reusing a password, or using 'password' doesn't mean that
everyone else does. Some organisations will use such a feature in a
box-ticking exercise when evaluating, and others may actually decide
to use the feature, and expect it to work effectively.
Beside, we are not in the habit of putting half-arsed features in
PostgreSQL. If we do something, we do it properly.
You miss my point (and conveniently cut it out). For users who
accidentally break policy vs users who purposefully circumvent policy -
the approaches must be different, and the risk management decision may
be different.
It's a lot easier to circumvent policy than most people (management
specifically) realize. If your attempt it to absolutely prevent a
determined competent individual from circumventing your policy - you
need to do a LOT MORE than what you are suggesting.
If you just want to prevent accidents - having the client software do
the checks is fine.
Cheers,
mark
--
Mark Mielke<m...@mielke.cc>
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
