Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sLD7h-00DwDp-D1 for pgsql-general@arkaria.postgresql.org; Sun, 23 Jun 2024 02:38:33 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sLD7f-002UC1-1w for pgsql-general@arkaria.postgresql.org; Sun, 23 Jun 2024 02:38:31 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sLD7e-002UBt-N3 for pgsql-general@lists.postgresql.org; Sun, 23 Jun 2024 02:38:31 +0000 Received: from mail-oa1-x31.google.com ([2001:4860:4864:20::31]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sLD7Y-002eao-BV for pgsql-general@postgresql.org; Sun, 23 Jun 2024 02:38:29 +0000 Received: by mail-oa1-x31.google.com with SMTP id 586e51a60fabf-25cae7464f5so1739944fac.3 for ; Sat, 22 Jun 2024 19:38:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719110303; x=1719715103; darn=postgresql.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=Lk1Sf6/+NWYe8FHrYIHjG0jgbkXnAIKSrlgXnKj66iA=; b=Ix/nD8OMITTBLw+7bSys0ITL0t0r8AZiz8JPuacBTsvzz32xrZiePewskuepWz4b0I +Ak/EfvGc6D9WOnmFEXoIL1+PoGh53D420xpWW5LRG+yzWRDHTa4lCdaZynhwm9pOTSO uaVIrajgw/Fb3yr1nBKrHH8pbvHwoJvh+4ejGUey+k57O1aC8SXM2ivkYmgd7JYCPoFO zukUuMlWrRyzeW1zA+YnvYVwC6H7D0ARmUfqfogUcPHDLWSgNQ1Xfunp6iABJBsUEbpV gVJAql2A+7ZwoNGemNPLnonVZnedVWtuRj9STY5x+HRUerXq3ePWIB99by8Br68jLVHd 1zjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719110303; x=1719715103; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Lk1Sf6/+NWYe8FHrYIHjG0jgbkXnAIKSrlgXnKj66iA=; b=I/By4qAM2/RXz1PJ1OlRcR8L1O0hMR7aWCpqNvH54MJiAhdnsE0asx6H4HGDTIv3Wf XepLWo1RU2P2fCJEOvnKzeZuvgBYFFVEaIkfKYA5RPcjvadJo7mOTkq+4ZKhRR1Sb/oh CPj3QLybuLppBDmeh67mCxbxS/aq5aTMxD3jsMDY57CcedDk6NrD5qi9bS+v/s5UcwwS q4BwPB924ArvoiCP9smHsciVi14xw9RVS+i/NdaQxhcEolhXEnWu6xWX37+odcvQgQy2 oOiFwc6xf198+ZJCEKl/xe9nclbXDSxtKlRdgUTgjtnyHvh4QXxQjcFQjgAM8xCZbm4E l+VQ== X-Gm-Message-State: AOJu0YwnqWLOkFZZ8mjMeok5XsxWn/uHSZkFT+ihiBusE8lfmKOjk+uj gk3fel+4h35NptZjOnDArD1fF0Hh+y5Ys2hF/eJntdR7lJobH5i23saVV0LRSaud22SC0h5Q3VV 1b9utKRwKZToJl5fU2pHhgLXPlpqYUi8G X-Google-Smtp-Source: AGHT+IGrm1ngZ1sG9NA9PD5TlX7y+o7t5IHT1WoRBfribgS8r87HehV5OGRCKsWJ9Ot2qmSDVwiw9CeZK0Piad6Xipo= X-Received: by 2002:a05:6871:7a6:b0:24e:8987:6f34 with SMTP id 586e51a60fabf-25d06bc8498mr1327683fac.3.1719110303255; Sat, 22 Jun 2024 19:38:23 -0700 (PDT) MIME-Version: 1.0 References: <79692c1a-190c-413e-9442-a14a45c1069d@googlemail.com> In-Reply-To: <79692c1a-190c-413e-9442-a14a45c1069d@googlemail.com> From: Ron Johnson Date: Sat, 22 Jun 2024 22:38:12 -0400 Message-ID: Subject: Re: Password complexity/history - credcheck? To: pgsql-general Content-Type: multipart/alternative; boundary="000000000000f49561061b858e07" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000f49561061b858e07 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, Jun 22, 2024 at 7:28=E2=80=AFPM Martin Goodson wrote: > Hello. > > Recently our security team have wanted to apply password complexity > checks akin to Oracle's profile mechanism to PostgreSQL, checking that a > password hasn't been used in x months There would have to be a pg_catalog table which stores login history. > etc, has minimum length, x special > characters and x numeric characters, mixed case etc. > Is that an after-the-fact scanner (with all the problems Tom mentioned), or is it a client-side "check while you're typing in the *new* password" scanner? --000000000000f49561061b858e07 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Sat, Jun 22, 2024 at 7:28=E2=80=AFPM M= artin Goodson <kaemaril@googl= email.com> wrote:
Hello.

Recently our security team have wanted to apply password complexity
checks akin to Oracle's profile mechanism to PostgreSQL, checking that = a
password hasn't been used in x months

T= here would have to be a pg_catalog table which stores login history.
=C2=A0
etc,= has minimum length, x special
characters and x numeric characters, mixed case etc.
<= br>
Is that an after-the-fact scanner (with all the problems Tom = mentioned), or is it a client-side "check while you're typing in t= he new password" scanner?

--000000000000f49561061b858e07--