MIME-Version: 1.0
References: <79692c1a-190c-413e-9442-a14a45c1069d@googlemail.com>
 <834558.1719102188@sss.pgh.pa.us> <43826fbd-2d26-467b-afcf-7fde609f8da3@googlemail.com>
 <CAKAnmmL7a20MKmjJuQZsrZPqCoSfdi5xpCtL4eqTxmcCKefC6Q@mail.gmail.com>
In-Reply-To: <CAKAnmmL7a20MKmjJuQZsrZPqCoSfdi5xpCtL4eqTxmcCKefC6Q@mail.gmail.com>
From: o1bigtenor <o1bigtenor@gmail.com>
Date: Mon, 24 Jun 2024 07:59:31 -0500
Message-ID: <CAPpdf5--HVKeABj+uYtoFza5ZguYe_KNPjvF_E4uhPLEk=G-_Q@mail.gmail.com>
Subject: 2FA - - - was Re: Password complexity/history - credcheck?
Cc: pgsql-general@lists.postgresql.org
Content-Type: multipart/alternative; boundary="0000000000004b3898061ba25c1f"
Archived-At: <https://www.postgresql.org/message-id/CAPpdf5--HVKeABj%2BuYtoFza5ZguYe_KNPjvF_E4uhPLEk%3DG-_Q%40mail.gmail.com>
Precedence: bulk

--0000000000004b3898061ba25c1f
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sun, Jun 23, 2024 at 10:10=E2=80=AFAM Greg Sabino Mullane <htamfids@gmai=
l.com>
wrote:

> On Sun, Jun 23, 2024 at 5:30=E2=80=AFAM Martin Goodson <kaemaril@googlema=
il.com>
> wrote:
>
>> I believe that our security team is getting most of this from our
>> auditors, who seem convinced that minimal complexity, password history
>> etc are the way to go despite the fact that, as you say, server-side
>> password checks can't really be implemented when the database receives a
>> hash rather than a clear text password and password minimal complexity
>> etc is not perhaps considered the gold standard it once was.
>>
>> In fact, I think they see a hashed password as a disadvantage.
>
>
> Wow, full stop right there. This is a hill to die on.
>
> Push back and get some competent auditors. This should not be a DBAs
> problem. Your best bet is to use Kerberos, and throw the password
> requirements out of the database realm entirely.
>
> Also, the discussion should be about 2FA, not password history/complexity=
.
>
>
Hmmmmmmm - - - - 2FA - - - - what I've seen of it so far is that
authentication is most often done
using totally insecure tools (emailing some numbers or using SMS). Now if
you were espousing
the use of security dongles and such I would agree - - - - otherwise you
are promoting the veneering
of insecurity on insecurity with the hope that this helps.

IMO having excellent passwords far trumps even 2FA - - - - 2FA is useful
when simple or quite
easily broken passwords are required.  Now when you add the lack of SMS
possibilities (due to lack of signal) 2FA is an usually potent PITA because
of course SMS 'always' works (except it doesn't(!!!!!!!!!!!!!!!!)).

(Can you tell that I've been bitten in the posterior repeatedly with this
garbage?)

Regards

--0000000000004b3898061ba25c1f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Sun, Jun 23, 2024 at 10:10=E2=80=
=AFAM Greg Sabino Mullane &lt;<a href=3D"mailto:htamfids@gmail.com">htamfid=
s@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr">On Sun, Jun 23, 2024 at 5:30=
=E2=80=AFAM Martin Goodson &lt;<a href=3D"mailto:kaemaril@googlemail.com" t=
arget=3D"_blank">kaemaril@googlemail.com</a>&gt; wrote:<br></div><div class=
=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I believ=
e that our security team is getting most of this from our <br>
auditors, who seem convinced that minimal complexity, password history <br>
etc are the way to go despite the fact that, as you say, server-side <br>
password checks can&#39;t really be implemented when the database receives =
a <br>
hash rather than a clear text password and password minimal complexity <br>
etc is not perhaps considered the gold standard it once was.<br>
<br>
In fact, I think they see a hashed password as a disadvantage.</blockquote>=
<div><br></div><div>Wow, full stop right there. This is a hill to die on.</=
div><div><br></div><div>Push back and get some competent auditors. This sho=
uld not be a DBAs problem. Your best bet is to use Kerberos, and throw the =
password requirements out of the database realm entirely.</div><div><br></d=
iv><div>Also, the discussion should be about 2FA, not password history/comp=
lexity.</div><br></div></div></blockquote><div><br></div><div>Hmmmmmmm - - =
- - 2FA - - - - what I&#39;ve seen of it so far is that authentication is m=
ost often done=C2=A0</div><div>using totally insecure tools (emailing some =
numbers or using SMS). Now if you were espousing=C2=A0</div><div>the use of=
 security dongles and such I would agree - - - - otherwise you are promotin=
g the veneering=C2=A0</div><div>of insecurity on insecurity with the hope t=
hat this helps.=C2=A0</div><div><br></div><div>IMO having excellent passwor=
ds far trumps even 2FA - - - - 2FA is useful when simple or quite=C2=A0</di=
v><div>easily broken passwords are required.=C2=A0 Now when you add the lac=
k of SMS possibilities (due to lack of signal) 2FA is an usually potent PIT=
A because of course SMS &#39;always&#39; works (except it doesn&#39;t(!!!!!=
!!!!!!!!!!!)).=C2=A0</div><div><br></div><div>(Can you tell that I&#39;ve b=
een bitten in the posterior repeatedly with this garbage?) <br></div><div><=
br></div><div>Regards<br></div></div></div>

--0000000000004b3898061ba25c1f--