public inbox for [email protected]
help / color / mirror / Atom feedFrom: Laurenz Albe <[email protected]>
To: Zaur Hajili <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: passwordcheck module problem
Date: Thu, 15 Feb 2024 13:45:52 +0100
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAFS9i-zYnEF3GZPZV+bDr_-2q394vG2VX9Vt3b8DYkSu+O8gEA@mail.gmail.com>
References: <CAFS9i-zYnEF3GZPZV+bDr_-2q394vG2VX9Vt3b8DYkSu+O8gEA@mail.gmail.com>
On Thu, 2024-02-15 at 16:20 +0400, Zaur Hajili wrote:
> recently one of dba course students informed me about problem of passwordcheck module.
>
> I cannot imagine that it is not a known issue, but if this is the known issue,
> then passwordcheck module loses all its functionality.
>
> Problem is, when a user changes its password via \password (psql meta command)
> command, it can set any simple password successfuly.
>
> Tested in versions 14,15,16. same behavior.
>
> Postgres must check the password before converting to hash, it is clear that after
> hash it cannot detect the weakness.
That is clearly off-topic for the WWW list.
The limitation is well known, see the "Caution" in the documentation of the module
or the discussion that led to the module:
https://www.postgresql.org/message-id/flat/D960CB61B694CF459DCFB4B0128514C203937F49%40exadv11.host.m...
It is catch 22: the only entity that sees the clear text password and can
check it is the client, and the server cannot trust the client.
Yours,
Laurenz Albe
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: passwordcheck module problem
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox