Re: Passwordcheck configuration - Mailing list pgsql-general

From Tom Lane
Subject Re: Passwordcheck configuration
Date
Msg-id 5502.1584659946@sss.pgh.pa.us
Whole thread Raw
In response to Passwordcheck configuration  (Dave Hughes <dhughes20@gmail.com>)
Responses Re: Passwordcheck configuration
Re: Passwordcheck configuration
Re: Passwordcheck configuration
Re: Passwordcheck configuration
List pgsql-general
Dave Hughes <dhughes20@gmail.com> writes:
> I have a requirement to set some password complexity for our database such
> as length of password, upper case, lower case, special characters,
> expiration limit, reuse, etc.

Usually, if you have to do something like that, we recommend setting PG to
use PAM authentication and configuring the restrictions on the PAM side.
The only native capability in that direction is that you can set a
password expiration date.

Note that it's widely believed that this sort of thing makes you LESS
secure, not more.  Quite aside from the well-established fact that forced
password changes are bad from a human-factors standpoint, you can't check
any of those other points unless the password is sent to the server as
cleartext.  That creates its own set of vulnerabilities, and I don't
know of anybody who considers it good practice.

> I saw there was a module you can use for this called passwordcheck.  Seems
> easy to install, but I don't see how you can configure it for you specific
> needs?

passwordcheck hasn't got any out-of-the-box configurability.  It's mainly
meant as sample code that people could modify if they have a mind to.

(I seem to recall some recent discussion about deprecating/removing
passwordcheck altogether, but I can't find it right now.)

            regards, tom lane



pgsql-general by date:

Previous
From: Justin King
Date:
Subject: Re: PG12 autovac issues
Next
From: "David G. Johnston"
Date:
Subject: Re: Could postgres12 support millions of sequences? (like 10 million)