Re: Rejecting weak passwords

On 10/15/2009 02:02 PM, Dave Page wrote:
> On Thu, Oct 15, 2009 at 6:55 PM, Robert Haas<robertmhaas@gmail.com>  wrote:
>
>    
>> OK, so we're in violent agreement here?
>>      
>  From a technical perspective I think we have been for a while. Though
> clearly some people disagree with my assertion that putting any form
> of policy enforcement in the client is not actually 'enforcement'. I
> wonder how many of those folks would implement their website's data
> sanitisation in the browser only - but I digress... :-)
>    

It depends on what your goal is. If your goal is to treat users as 
monkeys that you do not trust, even with their own password, and the DBA 
as God, who you absolutely do trust, than you are correct.

I don't know about your company - but in my company, the DBAs are in the 
IT department, and they really have no business knowing my password, 
which would give them access to my employee records, and my 
authorization capabilities. For any company that requires security, I do 
not accept that we can "trust the DBA". The database is just one small 
component in a much larger solution. The DBA is the monkey for a minor 
backend application, and the designers are the people earning money for 
the corporation. We have the exact opposite of what you are suggesting. 
A person can get access to much more data by logging in as the user on 
their *desktop* than by accessing some database directly.

I think you are missing that security is a balance. Your dig at ignorant 
people who do JS-based browser side checks of input is not applicable. 
You are exchanging one type of security for another type of security. 
You think that your proposed type of security is more valid than my 
proposed type of security. It depends on the application. Sometimes you 
might be right. Other times, you have arguably made things worse. Any 
company that truly needs security of this sort - should not be using 
PostgreSQL based roles with passwords for authentication. The true value 
of your proposal is pretty limited.

I'm not saying don't do it. I am saying that you are not truly achieving 
any improvement in security for the target audience you are saying that 
you are representing.

I think your proposal might improve things for newbies running 
PostgreSQL on an open Internet port at home who pick username = 
password. Frankly, I don't think their data is worth protecting, and 
their choice to use username = password and make it accessible on an 
open Internet port confirms that they are either completely ignorant 
about security, or they also agree that their data is not worth protecting.


Cheers,
mark

-- 
Mark Mielke<mark@mielke.cc>