Re: Password complexity/history - credcheck?

Greg Sabino Mullane <htamfids@gmail.com>

From: Greg Sabino Mullane <htamfids@gmail.com>
To: Martin Goodson <kaemaril@googlemail.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-general@lists.postgresql.org
Date: 2024-06-23T15:09:26Z
Lists: pgsql-general
On Sun, Jun 23, 2024 at 5:30 AM Martin Goodson <kaemaril@googlemail.com>
wrote:

> I believe that our security team is getting most of this from our
> auditors, who seem convinced that minimal complexity, password history
> etc are the way to go despite the fact that, as you say, server-side
> password checks can't really be implemented when the database receives a
> hash rather than a clear text password and password minimal complexity
> etc is not perhaps considered the gold standard it once was.
>
> In fact, I think they see a hashed password as a disadvantage.


Wow, full stop right there. This is a hill to die on.

Push back and get some competent auditors. This should not be a DBAs
problem. Your best bet is to use Kerberos, and throw the password
requirements out of the database realm entirely.

Also, the discussion should be about 2FA, not password history/complexity.

Cheers,
Greg