MIME-Version: 1.0
References: <79692c1a-190c-413e-9442-a14a45c1069d@googlemail.com>
 <834558.1719102188@sss.pgh.pa.us> <43826fbd-2d26-467b-afcf-7fde609f8da3@googlemail.com>
 <CAKAnmmL7a20MKmjJuQZsrZPqCoSfdi5xpCtL4eqTxmcCKefC6Q@mail.gmail.com> <CAPpdf5--HVKeABj+uYtoFza5ZguYe_KNPjvF_E4uhPLEk=G-_Q@mail.gmail.com>
In-Reply-To: <CAPpdf5--HVKeABj+uYtoFza5ZguYe_KNPjvF_E4uhPLEk=G-_Q@mail.gmail.com>
From: Chris Travers <chris.travers@gmail.com>
Date: Mon, 24 Jun 2024 20:30:44 +0700
Message-ID: <CAKt_Zft6pfd+Cw+5oyDDCiOqF9aJoYcBcXeT2cY=Cm1zkzpcow@mail.gmail.com>
Subject: Re: 2FA - - - was Re: Password complexity/history - credcheck?
To: o1bigtenor <o1bigtenor@gmail.com>
Cc: pgsql-general@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000767d1b061ba2cab0"
Archived-At: <https://www.postgresql.org/message-id/CAKt_Zft6pfd%2BCw%2B5oyDDCiOqF9aJoYcBcXeT2cY%3DCm1zkzpcow%40mail.gmail.com>
Precedence: bulk

--000000000000767d1b061ba2cab0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, Jun 24, 2024 at 8:00=E2=80=AFPM o1bigtenor <o1bigtenor@gmail.com> w=
rote:

>
>
> On Sun, Jun 23, 2024 at 10:10=E2=80=AFAM Greg Sabino Mullane <htamfids@gm=
ail.com>
> wrote:
>
>> On Sun, Jun 23, 2024 at 5:30=E2=80=AFAM Martin Goodson <kaemaril@googlem=
ail.com>
>> wrote:
>>
>>> I believe that our security team is getting most of this from our
>>> auditors, who seem convinced that minimal complexity, password history
>>> etc are the way to go despite the fact that, as you say, server-side
>>> password checks can't really be implemented when the database receives =
a
>>> hash rather than a clear text password and password minimal complexity
>>> etc is not perhaps considered the gold standard it once was.
>>>
>>> In fact, I think they see a hashed password as a disadvantage.
>>
>>
>> Wow, full stop right there. This is a hill to die on.
>>
>> Push back and get some competent auditors. This should not be a DBAs
>> problem. Your best bet is to use Kerberos, and throw the password
>> requirements out of the database realm entirely.
>>
>> Also, the discussion should be about 2FA, not password history/complexit=
y.
>>
>>
> Hmmmmmmm - - - - 2FA - - - - what I've seen of it so far is that
> authentication is most often done
> using totally insecure tools (emailing some numbers or using SMS). Now if
> you were espousing
> the use of security dongles and such I would agree - - - - otherwise you
> are promoting the veneering
> of insecurity on insecurity with the hope that this helps.
>
> IMO having excellent passwords far trumps even 2FA - - - - 2FA is useful
> when simple or quite
> easily broken passwords are required.  Now when you add the lack of SMS
> possibilities (due to lack of signal) 2FA is an usually potent PITA becau=
se
> of course SMS 'always' works (except it doesn't(!!!!!!!!!!!!!!!!)).
>
> (Can you tell that I've been bitten in the posterior repeatedly with this
> garbage?)
>

For 2FA, a simple solution is to require a password plus
clientcert=3Dsameuser.  This allows you to authorize devices/user accounts
for specific remote database connections and provides that second factor --
i.e. something you have as well as something you know.

>
>
> Regards
>


--=20
Best Wishes,
Chris Travers

Efficito:  Hosted Accounting and ERP.  Robust and Flexible.  No vendor
lock-in.
http://www.efficito.com/learn_more

--000000000000767d1b061ba2cab0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jun 24, 2024 at 8:00=E2=80=AF=
PM o1bigtenor &lt;<a href=3D"mailto:o1bigtenor@gmail.com">o1bigtenor@gmail.=
com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"marg=
in:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1e=
x"><div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quot=
e"><div dir=3D"ltr" class=3D"gmail_attr">On Sun, Jun 23, 2024 at 10:10=E2=
=80=AFAM Greg Sabino Mullane &lt;<a href=3D"mailto:htamfids@gmail.com" targ=
et=3D"_blank">htamfids@gmail.com</a>&gt; wrote:<br></div><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr">On Sun, =
Jun 23, 2024 at 5:30=E2=80=AFAM Martin Goodson &lt;<a href=3D"mailto:kaemar=
il@googlemail.com" target=3D"_blank">kaemaril@googlemail.com</a>&gt; wrote:=
<br></div><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" styl=
e=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddin=
g-left:1ex">I believe that our security team is getting most of this from o=
ur <br>
auditors, who seem convinced that minimal complexity, password history <br>
etc are the way to go despite the fact that, as you say, server-side <br>
password checks can&#39;t really be implemented when the database receives =
a <br>
hash rather than a clear text password and password minimal complexity <br>
etc is not perhaps considered the gold standard it once was.<br>
<br>
In fact, I think they see a hashed password as a disadvantage.</blockquote>=
<div><br></div><div>Wow, full stop right there. This is a hill to die on.</=
div><div><br></div><div>Push back and get some competent auditors. This sho=
uld not be a DBAs problem. Your best bet is to use Kerberos, and throw the =
password requirements out of the database realm entirely.</div><div><br></d=
iv><div>Also, the discussion should be about 2FA, not password history/comp=
lexity.</div><br></div></div></blockquote><div><br></div><div>Hmmmmmmm - - =
- - 2FA - - - - what I&#39;ve seen of it so far is that authentication is m=
ost often done=C2=A0</div><div>using totally insecure tools (emailing some =
numbers or using SMS). Now if you were espousing=C2=A0</div><div>the use of=
 security dongles and such I would agree - - - - otherwise you are promotin=
g the veneering=C2=A0</div><div>of insecurity on insecurity with the hope t=
hat this helps.=C2=A0</div><div><br></div><div>IMO having excellent passwor=
ds far trumps even 2FA - - - - 2FA is useful when simple or quite=C2=A0</di=
v><div>easily broken passwords are required.=C2=A0 Now when you add the lac=
k of SMS possibilities (due to lack of signal) 2FA is an usually potent PIT=
A because of course SMS &#39;always&#39; works (except it doesn&#39;t(!!!!!=
!!!!!!!!!!!)).=C2=A0</div><div><br></div><div>(Can you tell that I&#39;ve b=
een bitten in the posterior repeatedly with this garbage?)</div></div></div=
></blockquote><div><br></div><div>For 2FA, a simple solution is to require =
a password plus clientcert=3Dsameuser.=C2=A0 This allows you to authorize d=
evices/user accounts for specific remote database connections and provides =
that second factor -- i.e. something you have as well as something you know=
.=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"=
ltr"><div class=3D"gmail_quote"><div> <br></div><div><br></div><div>Regards=
<br></div></div></div>
</blockquote></div><br clear=3D"all"><div><br></div><span class=3D"gmail_si=
gnature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature"><d=
iv dir=3D"ltr">Best Wishes,<div>Chris Travers</div><div><br></div><div>Effi=
cito: =C2=A0Hosted Accounting and ERP.=C2=A0 Robust and Flexible.=C2=A0 No =
vendor lock-in.</div><div><a href=3D"http://www.efficito.com/learn_more" ta=
rget=3D"_blank">http://www.efficito.com/learn_more</a></div></div></div></d=
iv>

--000000000000767d1b061ba2cab0--