public inbox for [email protected]  
help / color / mirror / Atom feed
From: Tom Lane <[email protected]>
To: Agil Azimov <[email protected]>
Cc: [email protected]
Subject: Re: Password settings requirements
Date: Tue, 12 Oct 2021 11:53:38 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAEQStStkY7Hg-MhUnfbn1wMQGzM88uSQ=bLs3BPxGn_WCOmBjA@mail.gmail.com>
References: <CAEQStStkY7Hg-MhUnfbn1wMQGzM88uSQ=bLs3BPxGn_WCOmBjA@mail.gmail.com>

Agil Azimov <[email protected]> writes:
> Need to check the password settings in postgre such as Password minimal
> length, password complexity, password maximal age, password history and
> account lockout threshold.
> I need to set these parameters to make the comply with the best practices

If you're intent on doing things that way, you can set up Postgres
to use PAM authentication, and then the PAM end of things can be
configured with all kinds of options like that.

Personally though, I'd push back on those requirements.  The fundamental
problem with doing anything like that is that you cannot check password
length, complexity, etc without users having to send their cleartext
passwords to the server, which is a much bigger security fail than
anything appearing on your list.  Best practice these days is to use
SCRAM, which never exposes the cleartext password to the server.

			regards, tom lane





view thread (12+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Password settings requirements
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox