Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sLOr3-00Eij0-Kn for pgsql-general@arkaria.postgresql.org; Sun, 23 Jun 2024 15:10:09 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sLOr1-00ClDw-5y for pgsql-general@arkaria.postgresql.org; Sun, 23 Jun 2024 15:10:07 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sLOr0-00Cl9d-Qi for pgsql-general@lists.postgresql.org; Sun, 23 Jun 2024 15:10:07 +0000 Received: from mail-lj1-x232.google.com ([2a00:1450:4864:20::232]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sLOqz-0039f1-1i for pgsql-general@lists.postgresql.org; Sun, 23 Jun 2024 15:10:06 +0000 Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-2ec52fbb50aso17975971fa.3 for ; Sun, 23 Jun 2024 08:10:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719155402; x=1719760202; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=22uNZsdjjAjiCGv7MiwTyDUrPjJz351P32ScwLV7TQ4=; b=J0NRy3fqKf6KYZy9Il+JtFYz1oB5dGjqJBZSHEet4+3tJpo6RhDMeVPTOsKZAAONY5 5sIyQMMx5nxr+NigwvrRdIVW4EwmJJA7AeHZkAddYkMp/yzC8azmJJSpwN469Xq6QmZd 089FWuAvbdscpHZ4NiQCENsdiY/qrXFjxUffgUmum5TEHr3IwZa6NvVucM9OgELve9DX xZvY8p4yj5Yndm3SBCh9Zmx3GsMMMu5Mg5kdMj7ZHQFX0TJCmC22pfDaTicyzwMVL09t rBG80oWw8IamhO02mWH8tk3JbPlUJJnbEGCDvKU4ASCxlKIyx5IzMDGNAzYIUV5fKVjC DMgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719155402; x=1719760202; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=22uNZsdjjAjiCGv7MiwTyDUrPjJz351P32ScwLV7TQ4=; b=JKslsqveSvysdIneCzyyVAaMfN2Sd0E4L1DaPOqINf41DbwAMlxJ0NmvvrHaevcjAD NGwVqqUTRhISYxfsYntUzNHxXPqM7TtGIll6wDrSjESwd5lurOP+PlI6XTEbc4/v902i BaE/Z75eNXyn58fa8G/OTAMMdcVuOhtE7Iwxoyh2PiHyqEOURuaaa5Z2p4+73Z/NO+5t HXgOQghqXaam9QKz5OQQ1fEJvX1OhkAbF79uSA2H9EPrqcCsrn/b8Wtc22uCAL+FJGXL ix+OUG98ACZtGxxava3w26W1T6fegpRl0VvV6yD2grMsLZLNaRiDM/xkCX5rQzKe6RN2 W8Ow== X-Forwarded-Encrypted: i=1; AJvYcCX1zDHBQnemero85tH+Krcl8j65DlNB7+uZH6k5CZ2N6YSlpIo2bwDt4NlfmubzhE55a0WksExU/+SZPwKG2ePjGNkMp3s0xrlLjWFu7Voz71v7 X-Gm-Message-State: AOJu0Yx4nWsTw9WkjJ1zTZjTDtLNnWMrBrVXaTf+XPn/XMXn/lynzlLT IeWzwqGQyWVhr/J98Pehtf3XXuEYLm30x3RBOAVg+cQ1Xrxw/gBf7Bm4eJvcczi5oFoKQM4/XYI tZ6kfkixKEQ82+d7KedcwFpf366A2wg== X-Google-Smtp-Source: AGHT+IGekpPjxSxLzAn9PXJ0nawdqpeEeOvasoJjoO2IWLeRSIHsjRbCSoQRPtTNM3cBxTP7G05leqlJrvunqn1+FM8= X-Received: by 2002:a05:6512:3993:b0:52c:db0a:a550 with SMTP id 2adb3069b0e04-52ce185d345mr1801384e87.42.1719155402286; Sun, 23 Jun 2024 08:10:02 -0700 (PDT) MIME-Version: 1.0 References: <79692c1a-190c-413e-9442-a14a45c1069d@googlemail.com> <834558.1719102188@sss.pgh.pa.us> <43826fbd-2d26-467b-afcf-7fde609f8da3@googlemail.com> In-Reply-To: <43826fbd-2d26-467b-afcf-7fde609f8da3@googlemail.com> From: Greg Sabino Mullane Date: Sun, 23 Jun 2024 11:09:26 -0400 Message-ID: Subject: Re: Password complexity/history - credcheck? To: Martin Goodson Cc: Tom Lane , pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="000000000000112fef061b900f63" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000112fef061b900f63 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, Jun 23, 2024 at 5:30=E2=80=AFAM Martin Goodson wrote: > I believe that our security team is getting most of this from our > auditors, who seem convinced that minimal complexity, password history > etc are the way to go despite the fact that, as you say, server-side > password checks can't really be implemented when the database receives a > hash rather than a clear text password and password minimal complexity > etc is not perhaps considered the gold standard it once was. > > In fact, I think they see a hashed password as a disadvantage. Wow, full stop right there. This is a hill to die on. Push back and get some competent auditors. This should not be a DBAs problem. Your best bet is to use Kerberos, and throw the password requirements out of the database realm entirely. Also, the discussion should be about 2FA, not password history/complexity. Cheers, Greg --000000000000112fef061b900f63 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Sun, Jun 23, 2024 at 5:30=E2=80=AFAM M= artin Goodson <kaemaril@googl= email.com> wrote:
I believe that our security team is get= ting most of this from our
auditors, who seem convinced that minimal complexity, password history
etc are the way to go despite the fact that, as you say, server-side
password checks can't really be implemented when the database receives = a
hash rather than a clear text password and password minimal complexity
etc is not perhaps considered the gold standard it once was.

In fact, I think they see a hashed password as a disadvantage.
=

Wow, full stop right there. This is a hill to die on.

Push back and get some competent auditors. This sho= uld not be a DBAs problem. Your best bet is to use Kerberos, and throw the = password requirements out of the database realm entirely.

Also, the discussion should be about 2FA, not password history/comp= lexity.

Cheers,
Greg

--000000000000112fef061b900f63--