On Thu, 2024-02-15 at 16:20 +0400, Zaur Hajili wrote:
> recently one of dba course students informed me about problem of passwordcheck module.
>
> I cannot imagine that it is not a known issue, but if this is the known issue,
> then passwordcheck module loses all its functionality.
>
> Problem is, when a user changes its password via \password (psql meta command)
> command, it can set any simple password successfuly.
>
> Tested in versions 14,15,16. same behavior.
>
> Postgres must check the password before converting to hash, it is clear that after
> hash it cannot detect the weakness.
That is clearly off-topic for the WWW list.
The limitation is well known, see the "Caution" in the documentation of the module
or the discussion that led to the module:
https://www.postgresql.org/message-id/flat/D960CB61B694CF459DCFB4B0128514C203937F49%40exadv11.host.magwien.gv.at
It is catch 22: the only entity that sees the clear text password and can
check it is the client, and the server cannot trust the client.
Yours,
Laurenz Albe