2FA - - - was Re: Password complexity/history - credcheck? - Mailing list pgsql-general

From o1bigtenor
Subject 2FA - - - was Re: Password complexity/history - credcheck?
Date
Msg-id CAPpdf5--HVKeABj+uYtoFza5ZguYe_KNPjvF_E4uhPLEk=G-_Q@mail.gmail.com
Whole thread Raw
In response to Re: Password complexity/history - credcheck?  (Greg Sabino Mullane <htamfids@gmail.com>)
Responses Re: 2FA - - - was Re: Password complexity/history - credcheck?
List pgsql-general


On Sun, Jun 23, 2024 at 10:10 AM Greg Sabino Mullane <htamfids@gmail.com> wrote:
On Sun, Jun 23, 2024 at 5:30 AM Martin Goodson <kaemaril@googlemail.com> wrote:
I believe that our security team is getting most of this from our
auditors, who seem convinced that minimal complexity, password history
etc are the way to go despite the fact that, as you say, server-side
password checks can't really be implemented when the database receives a
hash rather than a clear text password and password minimal complexity
etc is not perhaps considered the gold standard it once was.

In fact, I think they see a hashed password as a disadvantage.

Wow, full stop right there. This is a hill to die on.

Push back and get some competent auditors. This should not be a DBAs problem. Your best bet is to use Kerberos, and throw the password requirements out of the database realm entirely.

Also, the discussion should be about 2FA, not password history/complexity.


Hmmmmmmm - - - - 2FA - - - - what I've seen of it so far is that authentication is most often done 
using totally insecure tools (emailing some numbers or using SMS). Now if you were espousing 
the use of security dongles and such I would agree - - - - otherwise you are promoting the veneering 
of insecurity on insecurity with the hope that this helps. 

IMO having excellent passwords far trumps even 2FA - - - - 2FA is useful when simple or quite 
easily broken passwords are required.  Now when you add the lack of SMS possibilities (due to lack of signal) 2FA is an usually potent PITA because of course SMS 'always' works (except it doesn't(!!!!!!!!!!!!!!!!)). 

(Can you tell that I've been bitten in the posterior repeatedly with this garbage?)

Regards

pgsql-general by date:

Previous
From: Ron Johnson
Date:
Subject: Re: Issue with pgstattuple on Sequences in PostgreSQL
Next
From: "David G. Johnston"
Date:
Subject: Re: Execute permission to function