Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sLJYK-00EL6N-Uk for pgsql-general@arkaria.postgresql.org; Sun, 23 Jun 2024 09:30:28 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sLJYG-0086F7-JZ for pgsql-general@arkaria.postgresql.org; Sun, 23 Jun 2024 09:30:24 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sLJYG-00869v-5C for pgsql-general@lists.postgresql.org; Sun, 23 Jun 2024 09:30:24 +0000 Received: from mail-wr1-x431.google.com ([2a00:1450:4864:20::431]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sLJYE-0037Ni-80 for pgsql-general@lists.postgresql.org; Sun, 23 Jun 2024 09:30:23 +0000 Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-366de090da9so978039f8f.1 for ; Sun, 23 Jun 2024 02:30:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20230601; t=1719135020; x=1719739820; darn=lists.postgresql.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=xtmI4xOwai/MvWceoD8aWcGfMSiwJqCzT9/7FWm78uM=; b=FanODYMrrE//26y4xecXtCCP0ay7PRn8lG1V6pHKukfIUZ/rWN5Ioh2X82nCfoCkjy RTQD1bwwMfm7xVLQPyy+3jkdSQo9thylvvFrYjXi/SoqTKHE0XBjT/AbxxJUKUmSdfR7 2o/BeENquDApZS9qDl/DlMecU/ufFfs/uWt7bjGLnsfTu90lfyd1jQIYcJXOrJn2IhZQ ff2nzDTEny0OBuPa9XEFUr6wsQNjFFtckPqtqSCyN9hDTXz06FSJQIpWIxbLXyP5VTf8 16egMjm/JgLI9sjo+HWo3O4U6SQo0JNcUMFH4Q5VrCHl7PsyzLnZ50gebpuZLOabYE96 TxnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719135020; x=1719739820; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=xtmI4xOwai/MvWceoD8aWcGfMSiwJqCzT9/7FWm78uM=; b=J0Hi85EUA66mxRu5gE9kyhnFiJyLq64kXDtTMUiGM45klw728j2tYTHKF9m10sjXBw rvZRhzfZIySro/nGho0CriqknbRSH9qNAJtaHL4qTfd2O3eyNpCut+XTYTrqnwimy/nV K/qdTmmoxsP/PfSgS/+qV5hXz0gsaHCTPShfKZIxWDG5YLNnkilMykJEJOUhb5gkET5c nwSLPSc08EQI95sz1DQZZTa+jRHir/H8IPV/1egcJE7XMmJH4Vmf5aXngnxT4rQpzamO TymM/PL6qNSZag7OPB+DgOVgBNZIo19is75MAtwi3N2ZLAN/1A6PNBhslwgXsFj0CLZT zvmw== X-Gm-Message-State: AOJu0YyXaxQOUEFnDK8Ce8bZHRv9duqkTRCtYQlGoWGVpMQb0i3f/+th GXv8omOo4Rru3G0hNArLjB25yo8gmcj2FV7UWtYh4gKQHR/7FR8minDT X-Google-Smtp-Source: AGHT+IEGRGHIcDfADdrNzx6Yx5EGd7fWubf9TZcEeISB9A1QmxOb+grNXtb3ZA1Zl4917Wamq+aAWw== X-Received: by 2002:a05:6000:8f:b0:362:d382:2569 with SMTP id ffacd0b85a97d-366e95d7df8mr986567f8f.44.1719135019581; Sun, 23 Jun 2024 02:30:19 -0700 (PDT) Received: from ?IPV6:2a05:87c7:9021:7300:44b5:32c0:b767:1222? ([2a05:87c7:9021:7300:44b5:32c0:b767:1222]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3663a8c8aa6sm6867933f8f.105.2024.06.23.02.30.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 23 Jun 2024 02:30:18 -0700 (PDT) Message-ID: <43826fbd-2d26-467b-afcf-7fde609f8da3@googlemail.com> Date: Sun, 23 Jun 2024 10:30:17 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Password complexity/history - credcheck? To: Tom Lane Cc: pgsql-general@lists.postgresql.org References: <79692c1a-190c-413e-9442-a14a45c1069d@googlemail.com> <834558.1719102188@sss.pgh.pa.us> Content-Language: en-GB From: Martin Goodson In-Reply-To: <834558.1719102188@sss.pgh.pa.us> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 23/06/2024 01:23, Tom Lane wrote: > Don't suppose it would help to push back on whether your security > team knows what they're doing. > ... > Anyway, considerations like these are why there's not features > of this sort in community PG. You can use an extension that > applies some checks, but there's no good way around the "needs > cleartext password" problem for that. > > regards, tom lane I believe that our security team is getting most of this from our auditors, who seem convinced that minimal complexity, password history etc are the way to go despite the fact that, as you say, server-side password checks can't really be implemented when the database receives a hash rather than a clear text password and password minimal complexity etc is not perhaps considered the gold standard it once was. In fact, I think they see a hashed password as a disadvantage. credcheck seems to satisfy their requirements - password complexity, password history, etc but - and this is the crucial bit - only on cleartext passwords. If I'm forced to go to cleartext passwords, which would be a nightmare, credcheck might be worth looking at, but I'm not sure whether or not it is well adopted, reliable, and without significant issues. I only heard about it a few days ago from a friend/colleague, so I was wondering if anybody else was using it and what experiences with it might be. Regards, Martin. -- Martin Goodson. "Have you thought up some clever plan, Doctor?" "Yes, Jamie, I believe I have." "What're you going to do?" "Bung a rock at it."