Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1maK65-0007DV-AB for pgsql-novice@arkaria.postgresql.org; Tue, 12 Oct 2021 15:53:45 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1maK64-0005Qd-9D for pgsql-novice@arkaria.postgresql.org; Tue, 12 Oct 2021 15:53:44 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1maK64-0005QU-2J for pgsql-novice@lists.postgresql.org; Tue, 12 Oct 2021 15:53:44 +0000 Received: from sss.pgh.pa.us ([66.207.139.130]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1maK62-0006h4-4a for pgsql-novice@lists.postgresql.org; Tue, 12 Oct 2021 15:53:43 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 19CFrcts577838; Tue, 12 Oct 2021 11:53:39 -0400 From: Tom Lane To: Agil Azimov cc: pgsql-novice@lists.postgresql.org Subject: Re: Password settings requirements In-reply-to: References: Comments: In-reply-to Agil Azimov message dated "Tue, 12 Oct 2021 19:00:17 +0400" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <577836.1634054018.1@sss.pgh.pa.us> Date: Tue, 12 Oct 2021 11:53:38 -0400 Message-ID: <577837.1634054018@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Agil Azimov writes: > Need to check the password settings in postgre such as Password minimal > length, password complexity, password maximal age, password history and > account lockout threshold. > I need to set these parameters to make the comply with the best practices If you're intent on doing things that way, you can set up Postgres to use PAM authentication, and then the PAM end of things can be configured with all kinds of options like that. Personally though, I'd push back on those requirements. The fundamental problem with doing anything like that is that you cannot check password length, complexity, etc without users having to send their cleartext passwords to the server, which is a much bigger security fail than anything appearing on your list. Best practice these days is to use SCRAM, which never exposes the cleartext password to the server. regards, tom lane