Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sLA9q-00DkYL-DI
	for pgsql-general@arkaria.postgresql.org; Sat, 22 Jun 2024 23:28:34 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sLA9m-0007zP-Hf
	for pgsql-general@arkaria.postgresql.org; Sat, 22 Jun 2024 23:28:30 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <kaemaril@googlemail.com>)
	id 1sLA9m-0007yq-3M
	for pgsql-general@lists.postgresql.org; Sat, 22 Jun 2024 23:28:30 +0000
Received: from mail-wm1-x32a.google.com ([2a00:1450:4864:20::32a])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <kaemaril@googlemail.com>)
	id 1sLA9j-002dPy-Mb
	for pgsql-general@lists.postgresql.org; Sat, 22 Jun 2024 23:28:29 +0000
Received: by mail-wm1-x32a.google.com with SMTP id 5b1f17b1804b1-4218314a6c7so26114575e9.0
        for <pgsql-general@lists.postgresql.org>; Sat, 22 Jun 2024 16:28:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20230601; t=1719098904; x=1719703704; darn=lists.postgresql.org;
        h=content-transfer-encoding:subject:from:content-language:to
         :user-agent:mime-version:date:message-id:from:to:cc:subject:date
         :message-id:reply-to;
        bh=i+qJF9ypbeN5SSBPKJ5WUjJDqtOBtsaZ602bDE0v3KA=;
        b=dw8Fhe4y54y9CsIr2/wvH1N9/knLgPQhUIzBkiwjqrVQkAUKOHG19fvbXFuswdAKTN
         YWXhTsqR1P+xWhIBdjHzNvjsT8Z2B5d5ZjYbJGCcwgLceY4URsN6u2gcZwc0uViCU2+w
         OQoGFXAmNfdX66ocPD9S0czXBaaaGfuVr1H/2Qsm88t6mdlSJJL6YC6n74FrL5IQMNss
         PbnAeSc/D2qtOjJnfQRuwbiOoiEdNNFXzRZ6/EW95I2J+0dA8z6UpyeHDkXmgCwSbpgI
         gg0njGdyMXAl5+m48b6vLOYeR5+gqyyfsej2zrr0MB/odryniL2pbVRvmkarUVSzSPII
         +unw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1719098904; x=1719703704;
        h=content-transfer-encoding:subject:from:content-language:to
         :user-agent:mime-version:date:message-id:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=i+qJF9ypbeN5SSBPKJ5WUjJDqtOBtsaZ602bDE0v3KA=;
        b=JoKDgx8vV5ZHccNShVsD8YYCN2fdTDB09oOs1qdVNcjB7sh1Y5XrayixQKFebLkD9q
         oEpCP2wkSHAbq+PBho9c87XxOrTJjL20+0hPbYH6xXOF5BR3HDgowHXcpNFOfbIDDHM7
         dJZNsiHZJ9MuBjP7Kx/yG19zajfYenMS33yE+JVQHo0T7v7+NooKDW6ks1RBB4Sizmap
         15OAsvtS5BR+HSf9Jn0qnanWT6Ks0netIYzZnGq60ZUSeIeFQyAPG2qF9FeIWAAWfDMM
         J89Aa62WBMOysrNqC3hYutOyjM4xNZNxtll/IAKRyMHh/iANjZe1uIlXK1Rr45g+pGFx
         lCKg==
X-Gm-Message-State: AOJu0YwNUw/2q52qtyd8+1BQ/l/u4xMFfsqpv1LeoWPGFco22FhlXx/O
	CZY8piAoihYONCgSiWiiAusmPOnn6EF7LLUpnNrKgLkYvMYoR14h2i0h
X-Google-Smtp-Source: AGHT+IG80MDTHZPiyrmNrVDxGVnRqQd8/AfKRn86d6YcDLINEzHPt+maav4GB6K9R2BSmaMMAM1lQA==
X-Received: by 2002:a05:600c:2d85:b0:424:7c03:c091 with SMTP id 5b1f17b1804b1-4248cc3411emr6804235e9.23.1719098904010;
        Sat, 22 Jun 2024 16:28:24 -0700 (PDT)
Received: from [192.168.4.24] ([188.74.80.3])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4247d0b634asm122706235e9.1.2024.06.22.16.28.22
        for <pgsql-general@lists.postgresql.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sat, 22 Jun 2024 16:28:23 -0700 (PDT)
Message-ID: <79692c1a-190c-413e-9442-a14a45c1069d@googlemail.com>
Date: Sun, 23 Jun 2024 00:28:21 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: pgsql-general@lists.postgresql.org
Content-Language: en-GB
From: Martin Goodson <kaemaril@googlemail.com>
Subject: Password complexity/history - credcheck?
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/79692c1a-190c-413e-9442-a14a45c1069d%40googlemail.com>
Precedence: bulk

Hello.

Recently our security team have wanted to apply password complexity 
checks akin to Oracle's profile mechanism to PostgreSQL, checking that a 
password hasn't been used in x months etc, has minimum length, x special 
characters and x numeric characters, mixed case etc.

As far as I'm aware there's nothing part of the standard 'community 
edition' which gives us that, apart from passwordcheck - which doesn't 
give you a password history.

Can anyone recommend a good mechanism to accomodate this? Ideally we're 
looking for something well-established, reliable, and easily 
configurable. Does anything spring to mind?

A colleague has been looking around, and stumbled across 
https://github.com/MigOpsRepos/credcheck. Does anyone have any positive 
(or negative) experience with this? I'm happy to download and apply to a 
test database, obviously, but some indication of whether or not it's 
worth looking at first would be greatly appreciated. Is this something 
that the community would recommend?

Many thanks!

--
Martin Goodson.

"Have you thought up some clever plan, Doctor?"
"Yes, Jamie, I believe I have."
"What're you going to do?"
"Bung a rock at it."