public inbox for [email protected]  
help / color / mirror / Atom feed
Password settings requirements
12+ messages / 5 participants
[nested] [flat]

* Password settings requirements
@ 2021-10-12 15:00  Agil Azimov <[email protected]>
  0 siblings, 2 replies; 12+ messages in thread

From: Agil Azimov @ 2021-10-12 15:00 UTC (permalink / raw)
  To: [email protected]

Hi,

Need to check the password settings in postgre such as Password minimal
length, password complexity, password maximal age, password history and
account lockout threshold.

I need to set these parameters to make the comply with the best practices

Can you please help with this issue?


^ permalink  raw  reply  [nested|flat] 12+ messages in thread

* Re: Password settings requirements
@ 2021-10-12 15:26  hubert depesz lubaczewski <[email protected]>
  parent: Agil Azimov <[email protected]>
  1 sibling, 1 reply; 12+ messages in thread

From: hubert depesz lubaczewski @ 2021-10-12 15:26 UTC (permalink / raw)
  To: Agil Azimov <[email protected]>; +Cc: [email protected]

On Tue, Oct 12, 2021 at 07:00:17PM +0400, Agil Azimov wrote:
> Need to check the password settings in postgre such as Password minimal
> length, password complexity, password maximal age, password history and
> account lockout threshold.
> I need to set these parameters to make the comply with the best practices
> Can you please help with this issue?

Did you check this:
https://www.postgresql.org/docs/current/passwordcheck.html ?

Best regards,

depesz






^ permalink  raw  reply  [nested|flat] 12+ messages in thread

* Re: Password settings requirements
@ 2021-10-12 15:53  Tom Lane <[email protected]>
  parent: Agil Azimov <[email protected]>
  1 sibling, 1 reply; 12+ messages in thread

From: Tom Lane @ 2021-10-12 15:53 UTC (permalink / raw)
  To: Agil Azimov <[email protected]>; +Cc: [email protected]

Agil Azimov <[email protected]> writes:
> Need to check the password settings in postgre such as Password minimal
> length, password complexity, password maximal age, password history and
> account lockout threshold.
> I need to set these parameters to make the comply with the best practices

If you're intent on doing things that way, you can set up Postgres
to use PAM authentication, and then the PAM end of things can be
configured with all kinds of options like that.

Personally though, I'd push back on those requirements.  The fundamental
problem with doing anything like that is that you cannot check password
length, complexity, etc without users having to send their cleartext
passwords to the server, which is a much bigger security fail than
anything appearing on your list.  Best practice these days is to use
SCRAM, which never exposes the cleartext password to the server.

			regards, tom lane





^ permalink  raw  reply  [nested|flat] 12+ messages in thread

* Re: Password settings requirements
@ 2021-10-12 16:43  Agil Azimov <[email protected]>
  parent: hubert depesz lubaczewski <[email protected]>
  0 siblings, 0 replies; 12+ messages in thread

From: Agil Azimov @ 2021-10-12 16:43 UTC (permalink / raw)
  To: [email protected]; +Cc: [email protected]

Yes I have checked it. The passwordcheck sets the predefined parameters
which cannot be observed. I read somwhere that there is complexity check
and password minimal length is set to 8 symbols. This doesn't work for me

On Tue, 12 Oct 2021, 7:26 pm hubert depesz lubaczewski, <[email protected]>
wrote:

> On Tue, Oct 12, 2021 at 07:00:17PM +0400, Agil Azimov wrote:
> > Need to check the password settings in postgre such as Password minimal
> > length, password complexity, password maximal age, password history and
> > account lockout threshold.
> > I need to set these parameters to make the comply with the best practices
> > Can you please help with this issue?
>
> Did you check this:
> https://www.postgresql.org/docs/current/passwordcheck.html ?
>
> Best regards,
>
> depesz
>
>


^ permalink  raw  reply  [nested|flat] 12+ messages in thread

* Re: Password settings requirements
@ 2021-10-12 16:46  Agil Azimov <[email protected]>
  parent: Tom Lane <[email protected]>
  0 siblings, 1 reply; 12+ messages in thread

From: Agil Azimov @ 2021-10-12 16:46 UTC (permalink / raw)
  To: Tom Lane <[email protected]>; +Cc: [email protected]

Thank you for your message. Will I be able to set all the settings I
mentioned before if I will set SCRAM?

On Tue, 12 Oct 2021, 7:53 pm Tom Lane, <[email protected]> wrote:

> Agil Azimov <[email protected]> writes:
> > Need to check the password settings in postgre such as Password minimal
> > length, password complexity, password maximal age, password history and
> > account lockout threshold.
> > I need to set these parameters to make the comply with the best practices
>
> If you're intent on doing things that way, you can set up Postgres
> to use PAM authentication, and then the PAM end of things can be
> configured with all kinds of options like that.
>
> Personally though, I'd push back on those requirements.  The fundamental
> problem with doing anything like that is that you cannot check password
> length, complexity, etc without users having to send their cleartext
> passwords to the server, which is a much bigger security fail than
> anything appearing on your list.  Best practice these days is to use
> SCRAM, which never exposes the cleartext password to the server.
>
>                         regards, tom lane
>


^ permalink  raw  reply  [nested|flat] 12+ messages in thread

* Re: Password settings requirements
@ 2021-10-12 23:28  Bruce Momjian <[email protected]>
  parent: Agil Azimov <[email protected]>
  0 siblings, 1 reply; 12+ messages in thread

From: Bruce Momjian @ 2021-10-12 23:28 UTC (permalink / raw)
  To: Agil Azimov <[email protected]>; +Cc: Tom Lane <[email protected]>; [email protected]

On Tue, Oct 12, 2021 at 08:46:44PM +0400, Agil Azimov wrote:
> Thank you for your message. Will I be able to set all the settings I mentioned
> before if I will set SCRAM?

No.  I think you need to use PAM or something like that if you want
those requirements.

-- 
  Bruce Momjian  <[email protected]>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.






^ permalink  raw  reply  [nested|flat] 12+ messages in thread

* Re: Password settings requirements
@ 2021-10-19 07:38  Agil Azimov <[email protected]>
  parent: Bruce Momjian <[email protected]>
  0 siblings, 2 replies; 12+ messages in thread

From: Agil Azimov @ 2021-10-19 07:38 UTC (permalink / raw)
  To: Bruce Momjian <[email protected]>; +Cc: Tom Lane <[email protected]>; [email protected]

Thank you for your reply! I would like to check the current password
requirements of PostgreSQL server. Could you please let me know which
command will show me the
1. Minimal requirements for password length
2. Maximum password age
3. If the password complexity requirements are turned on.
4. Password history requirement - number of passwords
5. Account lockout threshold.

I appreciate you support.

On Wed, Oct 13, 2021 at 3:28 AM Bruce Momjian <[email protected]> wrote:

> On Tue, Oct 12, 2021 at 08:46:44PM +0400, Agil Azimov wrote:
> > Thank you for your message. Will I be able to set all the settings I
> mentioned
> > before if I will set SCRAM?
>
> No.  I think you need to use PAM or something like that if you want
> those requirements.
>
> --
>   Bruce Momjian  <[email protected]>        https://momjian.us
>   EDB                                      https://enterprisedb.com
>
>   If only the physical world exists, free will is an illusion.
>
>


^ permalink  raw  reply  [nested|flat] 12+ messages in thread

* Re: Password settings requirements
@ 2021-10-19 07:45  Agil Azimov <[email protected]>
  parent: Agil Azimov <[email protected]>
  1 sibling, 0 replies; 12+ messages in thread

From: Agil Azimov @ 2021-10-19 07:45 UTC (permalink / raw)
  To: Bruce Momjian <[email protected]>; +Cc: Tom Lane <[email protected]>; [email protected]

I know that the authentication md5 is used .

On Tue, Oct 19, 2021 at 11:38 AM Agil Azimov <[email protected]> wrote:

> Thank you for your reply! I would like to check the current password
> requirements of PostgreSQL server. Could you please let me know which
> command will show me the
> 1. Minimal requirements for password length
> 2. Maximum password age
> 3. If the password complexity requirements are turned on.
> 4. Password history requirement - number of passwords
> 5. Account lockout threshold.
>
> I appreciate you support.
>
> On Wed, Oct 13, 2021 at 3:28 AM Bruce Momjian <[email protected]> wrote:
>
>> On Tue, Oct 12, 2021 at 08:46:44PM +0400, Agil Azimov wrote:
>> > Thank you for your message. Will I be able to set all the settings I
>> mentioned
>> > before if I will set SCRAM?
>>
>> No.  I think you need to use PAM or something like that if you want
>> those requirements.
>>
>> --
>>   Bruce Momjian  <[email protected]>        https://momjian.us
>>   EDB                                      https://enterprisedb.com
>>
>>   If only the physical world exists, free will is an illusion.
>>
>>


^ permalink  raw  reply  [nested|flat] 12+ messages in thread

* Re: Password settings requirements
@ 2021-10-19 12:20  Laurenz Albe <[email protected]>
  parent: Agil Azimov <[email protected]>
  1 sibling, 1 reply; 12+ messages in thread

From: Laurenz Albe @ 2021-10-19 12:20 UTC (permalink / raw)
  To: Agil Azimov <[email protected]>; Bruce Momjian <[email protected]>; +Cc: Tom Lane <[email protected]>; [email protected]

On Tue, 2021-10-19 at 11:38 +0400, Agil Azimov wrote:
> 
> On Wed, Oct 13, 2021 at 3:28 AM Bruce Momjian <[email protected]> wrote:
> > On Tue, Oct 12, 2021 at 08:46:44PM +0400, Agil Azimov wrote:
> > > Thank you for your message. Will I be able to set all the settings I mentioned
> > > before if I will set SCRAM?
> > 
> > No.  I think you need to use PAM or something like that if you want
> > those requirements.
> > 
> Thank you for your reply! I would like to check the current password requirements of PostgreSQL server. Could you please let me know which command will show me the
> 1. Minimal requirements for password length
> 2. Maximum password age
> 3. If the password complexity requirements are turned on. 
> 4. Password history requirement - number of passwords
> 5. Account lockout threshold.
> 
> I appreciate you support.

As Bruce said, there are no such requirements.
You will have to manage your passwords outside of PostgreSQL if
you need to impose password rules.
PAM, the pluggabla authentication mocule of Linux, is one way of doing that.

Yours,
Laurenz Albe
-- 
Cybertec | https://www.cybertec-postgresql.com






^ permalink  raw  reply  [nested|flat] 12+ messages in thread

* Re: Password settings requirements
@ 2021-10-19 13:01  Agil Azimov <[email protected]>
  parent: Laurenz Albe <[email protected]>
  0 siblings, 1 reply; 12+ messages in thread

From: Agil Azimov @ 2021-10-19 13:01 UTC (permalink / raw)
  To: Laurenz Albe <[email protected]>; +Cc: Bruce Momjian <[email protected]>; Tom Lane <[email protected]>; [email protected]

Thank you for the clarification!  The issue is that I have to check and
report the current state )). Is there any way I can check current password
settings (minimal password length for instance and maximum password
lifetime).  Ideally all of the settings mentioned above ). I appreciate any
help you can provide.

Warm regards,
Agil

On Tue, Oct 19, 2021 at 4:20 PM Laurenz Albe <[email protected]>
wrote:

> On Tue, 2021-10-19 at 11:38 +0400, Agil Azimov wrote:
> >
> > On Wed, Oct 13, 2021 at 3:28 AM Bruce Momjian <[email protected]> wrote:
> > > On Tue, Oct 12, 2021 at 08:46:44PM +0400, Agil Azimov wrote:
> > > > Thank you for your message. Will I be able to set all the settings I
> mentioned
> > > > before if I will set SCRAM?
> > >
> > > No.  I think you need to use PAM or something like that if you want
> > > those requirements.
> > >
> > Thank you for your reply! I would like to check the current password
> requirements of PostgreSQL server. Could you please let me know which
> command will show me the
> > 1. Minimal requirements for password length
> > 2. Maximum password age
> > 3. If the password complexity requirements are turned on.
> > 4. Password history requirement - number of passwords
> > 5. Account lockout threshold.
> >
> > I appreciate you support.
>
> As Bruce said, there are no such requirements.
> You will have to manage your passwords outside of PostgreSQL if
> you need to impose password rules.
> PAM, the pluggabla authentication mocule of Linux, is one way of doing
> that.
>
> Yours,
> Laurenz Albe
> --
> Cybertec | https://www.cybertec-postgresql.com
>
>


^ permalink  raw  reply  [nested|flat] 12+ messages in thread

* Re: Password settings requirements
@ 2021-10-19 13:52  Laurenz Albe <[email protected]>
  parent: Agil Azimov <[email protected]>
  0 siblings, 1 reply; 12+ messages in thread

From: Laurenz Albe @ 2021-10-19 13:52 UTC (permalink / raw)
  To: Agil Azimov <[email protected]>; +Cc: Bruce Momjian <[email protected]>; Tom Lane <[email protected]>; [email protected]

On Tue, 2021-10-19 at 17:01 +0400, Agil Azimov wrote:
> Is there any way I can check current password settings (minimal password length for instance and maximum password lifetime).

No.  Not in PostgreSQL.
It doesn't help if you ask the question again.

Yours,
Laurenz Albe






^ permalink  raw  reply  [nested|flat] 12+ messages in thread

* Re: Password settings requirements
@ 2021-10-19 13:59  Agil Azimov <[email protected]>
  parent: Laurenz Albe <[email protected]>
  0 siblings, 0 replies; 12+ messages in thread

From: Agil Azimov @ 2021-10-19 13:59 UTC (permalink / raw)
  To: Laurenz Albe <[email protected]>; +Cc: Bruce Momjian <[email protected]>; Tom Lane <[email protected]>; [email protected]

Ok, thanks ))) sorry for asking the same question too many times .

On Tue, Oct 19, 2021 at 5:52 PM Laurenz Albe <[email protected]>
wrote:

> On Tue, 2021-10-19 at 17:01 +0400, Agil Azimov wrote:
> > Is there any way I can check current password settings (minimal password
> length for instance and maximum password lifetime).
>
> No.  Not in PostgreSQL.
> It doesn't help if you ask the question again.
>
> Yours,
> Laurenz Albe
>
>


^ permalink  raw  reply  [nested|flat] 12+ messages in thread


end of thread, other threads:[~2021-10-19 13:59 UTC | newest]

Thread overview: 12+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2021-10-12 15:00 Password settings requirements Agil Azimov <[email protected]>
2021-10-12 15:26 ` hubert depesz lubaczewski <[email protected]>
2021-10-12 16:43   ` Agil Azimov <[email protected]>
2021-10-12 15:53 ` Tom Lane <[email protected]>
2021-10-12 16:46   ` Agil Azimov <[email protected]>
2021-10-12 23:28     ` Bruce Momjian <[email protected]>
2021-10-19 07:38       ` Agil Azimov <[email protected]>
2021-10-19 07:45         ` Agil Azimov <[email protected]>
2021-10-19 12:20         ` Laurenz Albe <[email protected]>
2021-10-19 13:01           ` Agil Azimov <[email protected]>
2021-10-19 13:52             ` Laurenz Albe <[email protected]>
2021-10-19 13:59               ` Agil Azimov <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox