Re: Password complexity/history - credcheck?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Christoph Moench-Tegeder <[email protected]>
To: Martin Goodson <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: [email protected]
Subject: Re: Password complexity/history - credcheck?
Date: Sun, 23 Jun 2024 12:49:04 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>

## Martin Goodson ([email protected]):

> I believe that our security team is getting most of this from our
> auditors, who seem convinced that minimal complexity, password history
> etc are the way to go despite the fact that, as you say, server-side
> password checks can't really be implemented when the database receives
> a hash rather than a clear text password and password minimal
> complexity etc is not perhaps considered the gold standard it once
> was.

The current state of the art is documented (as in, "official", for
arguing with auditors) at
https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

My advice would be to not use secrets stored in the database -
that is, do not use scram-sha-256 - but use an external authentication
system, like Kerberos (might be AD) or LDAP (might also be AD) and have
that managed by the security team: that way all these compliance
topics which they brought up also become their problem :) and a lot
of the processes of recovering and disabling accounts and changing
passords move into a central location, which is most often a good thing[tm].
Or maybe move to client certificates, but if you're managing more
than a few personal accounts rotating certificates might become a
hassle (depending on your user base).

Regards,
Christoph

-- 
Spare Space

view thread (9+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Password complexity/history - credcheck?
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox