Re: password administration - Mailing list pgsql-admin

From Scott Marlowe
Subject Re: password administration
Date
Msg-id AANLkTimHrExZUmtZeX4NNXx7XxDw0Gm2QRz=hViYmTHr@mail.gmail.com
Whole thread Raw
In response to Re: password administration  (Craig James <craig_james@emolecules.com>)
Responses Re: password administration
Re: password administration
List pgsql-admin
On Thu, Aug 5, 2010 at 2:20 PM, Craig James <craig_james@emolecules.com> wrote:
> On 8/5/10 12:58 PM, Mark Steben wrote:
>>
>> I would like to set up a facility that enforces password changes for roles
>> After a predefined period (30 days for instance) when logging into psql
>> Or, at the very least, send an email out to notify that your current
>> Password period is about to expire.  Preferably, I'd like to use
>> The 'rolvaliduntil' column in pg_roles.
>>
>> I'm wondering if there is an app inside or outside of postgres
>> that I can use or do I have to design from scratch.
>
> This is an off-topic response, but security experts have said that this is a
> REALLY bad idea.  It forces people to choose a new password, which means
> they can't remember it.  So what do they do?  They write it down.  Anyone
> snooping around their office can find it.
>
> Besides, when a password is stolen, it's usually used within minutes.
>  Making everyone change every month does no good at all.
>
> A better solution is to implement a password-strength algorithm and require
> people to select decent passwords to begin with.

Exactly.  If you allow simpler passwords that have to be changed you
get things like:

ilovemywife22   md5: b845aec254d018d118fe52c46ee8c98c

changed to

ilovemywife23  md5: 8c2b59e4d961478e3a9d5bd94979f329

You can't tell how close they are by the md5.  If you try to prevent
people from reusing similar passwords, then you have to store either
the previous passwords (bad security) or something like a soundex of
the previous password (also bad security.)

Better to have strong passwords and intrusion detection.

pgsql-admin by date:

Previous
From: Craig James
Date:
Subject: Re: password administration
Next
From: Tom Lane
Date:
Subject: Re: password administration