On 05.08.2010 22:54, Tom Lane wrote: > Scott Marlowe <scott.marlowe@xxxxxxxxx> writes: > >> On Thu, Aug 5, 2010 at 2:20 PM, Craig James <craig_james@xxxxxxxxxxxxxx> wrote: >> >>> A better solution is to implement a password-strength algorithm and require >>> people to select decent passwords to begin with. >>> > >> Exactly. If you allow simpler passwords that have to be changed you >> get things like: >> > >> ilovemywife22 md5: b845aec254d018d118fe52c46ee8c98c >> > >> changed to >> > >> ilovemywife23 md5: 8c2b59e4d961478e3a9d5bd94979f329 >> > >> You can't tell how close they are by the md5. If you try to prevent >> people from reusing similar passwords, then you have to store either >> the previous passwords (bad security) or something like a soundex of >> the previous password (also bad security.) >> > A place I know but won't name has a policy of storing your last five > passwords (hopefully in md5'd form, but I don't actually know that) and > not letting you reuse those. Of course this merely encourages people to > use a cycle of six or so passwords, like something they can remember > with one digit tagged on. > Hi! Such a policy is in force in my country (Poland) but only if system contains personal data. (government law) 8 or more characters - 2 capital letters, 2 digits And... sometimes this is pain in the... but we don't have a choice. TIP: you don't need 6 passwords - just 2 - with different one character ;-) -- Andrzej Zawadzki -- Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin
