public inbox for [email protected]
help / color / mirror / Atom feedFrom: Chris Travers <[email protected]>
To: o1bigtenor <[email protected]>
Cc: [email protected]
Subject: Re: 2FA - - - was Re: Password complexity/history - credcheck?
Date: Mon, 24 Jun 2024 20:30:44 +0700
Message-ID: <CAKt_Zft6pfd+Cw+5oyDDCiOqF9aJoYcBcXeT2cY=Cm1zkzpcow@mail.gmail.com> (raw)
In-Reply-To: <CAPpdf5--HVKeABj+uYtoFza5ZguYe_KNPjvF_E4uhPLEk=G-_Q@mail.gmail.com>
References: <[email protected]>
<[email protected]>
<[email protected]>
<CAKAnmmL7a20MKmjJuQZsrZPqCoSfdi5xpCtL4eqTxmcCKefC6Q@mail.gmail.com>
<CAPpdf5--HVKeABj+uYtoFza5ZguYe_KNPjvF_E4uhPLEk=G-_Q@mail.gmail.com>
On Mon, Jun 24, 2024 at 8:00 PM o1bigtenor <[email protected]> wrote:
>
>
> On Sun, Jun 23, 2024 at 10:10 AM Greg Sabino Mullane <[email protected]>
> wrote:
>
>> On Sun, Jun 23, 2024 at 5:30 AM Martin Goodson <[email protected]>
>> wrote:
>>
>>> I believe that our security team is getting most of this from our
>>> auditors, who seem convinced that minimal complexity, password history
>>> etc are the way to go despite the fact that, as you say, server-side
>>> password checks can't really be implemented when the database receives a
>>> hash rather than a clear text password and password minimal complexity
>>> etc is not perhaps considered the gold standard it once was.
>>>
>>> In fact, I think they see a hashed password as a disadvantage.
>>
>>
>> Wow, full stop right there. This is a hill to die on.
>>
>> Push back and get some competent auditors. This should not be a DBAs
>> problem. Your best bet is to use Kerberos, and throw the password
>> requirements out of the database realm entirely.
>>
>> Also, the discussion should be about 2FA, not password history/complexity.
>>
>>
> Hmmmmmmm - - - - 2FA - - - - what I've seen of it so far is that
> authentication is most often done
> using totally insecure tools (emailing some numbers or using SMS). Now if
> you were espousing
> the use of security dongles and such I would agree - - - - otherwise you
> are promoting the veneering
> of insecurity on insecurity with the hope that this helps.
>
> IMO having excellent passwords far trumps even 2FA - - - - 2FA is useful
> when simple or quite
> easily broken passwords are required. Now when you add the lack of SMS
> possibilities (due to lack of signal) 2FA is an usually potent PITA because
> of course SMS 'always' works (except it doesn't(!!!!!!!!!!!!!!!!)).
>
> (Can you tell that I've been bitten in the posterior repeatedly with this
> garbage?)
>
For 2FA, a simple solution is to require a password plus
clientcert=sameuser. This allows you to authorize devices/user accounts
for specific remote database connections and provides that second factor --
i.e. something you have as well as something you know.
>
>
> Regards
>
--
Best Wishes,
Chris Travers
Efficito: Hosted Accounting and ERP. Robust and Flexible. No vendor
lock-in.
http://www.efficito.com/learn_more
view thread (9+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: 2FA - - - was Re: Password complexity/history - credcheck?
In-Reply-To: <CAKt_Zft6pfd+Cw+5oyDDCiOqF9aJoYcBcXeT2cY=Cm1zkzpcow@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox