Re: Password complexity/history - credcheck?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Tom Lane <[email protected]>
To: Martin Goodson <[email protected]>
Cc: [email protected]
Subject: Re: Password complexity/history - credcheck?
Date: Sat, 22 Jun 2024 20:23:08 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>

Martin Goodson <[email protected]> writes:
> Recently our security team have wanted to apply password complexity 
> checks akin to Oracle's profile mechanism to PostgreSQL, checking that a 
> password hasn't been used in x months etc, has minimum length, x special 
> characters and x numeric characters, mixed case etc.

Don't suppose it would help to push back on whether your security
team knows what they're doing.

The really key reason why server-side password checks are not as
bright an idea as they sound is that they cannot be implemented
without forcing the client to transmit the password in cleartext.
It's widely considered best practice if the server *never* sees
the user's cleartext password, because then it can't leak, either
from sniffing the connection or scraping the postmaster log.

I believe that practices such as forcing a password change every
X amount of time are not viewed as favorably as they once were,
either.  (The argument is that that discourages users from putting
any serious thought into choosing an uncrackable password, and
might well encourage them to write down their current and last few
passwords somewhere.)

Anyway, considerations like these are why there's not features
of this sort in community PG.  You can use an extension that
applies some checks, but there's no good way around the "needs
cleartext password" problem for that.

			regards, tom lane

view thread (9+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Password complexity/history - credcheck?
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox