Обсуждение: Password policy
I need to set a basic password policy for accounts but I don't see any documentation on how to do it. I'm assuming there is a way to do this, maybe even with a trigger. The policy would be something like this: 1. Must contain letters and numbers 2. Must be at least 8 characters long 3. Must contain one special character (#,@,$,%,!, etc) 4. Password (not the account) must expire after 90 days 5. Must warn users 10 days before the expire to change the password Jon
Roberts, Jon wrote: > I need to set a basic password policy for accounts but I don't see any > documentation on how to do it. I'm assuming there is a way to do this, > maybe even with a trigger. > > The policy would be something like this: > 1. Must contain letters and numbers > 2. Must be at least 8 characters long > 3. Must contain one special character (#,@,$,%,!, etc) > 4. Password (not the account) must expire after 90 days > 5. Must warn users 10 days before the expire to change the password > > > This question really belongs on the -general list, not the -hackers list (as do all questions about usage). The short answer is "not really". You could use an external password source like PAM or LDAP that enforced such restrictions. cheers andrew
On Tue, 15 Jan 2008 16:11:16 -0600 "Roberts, Jon" <Jon.Roberts@asurion.com> wrote: > I need to set a basic password policy for accounts but I don't see any > documentation on how to do it. I'm assuming there is a way to do this, > maybe even with a trigger. > > The policy would be something like this: > 1. Must contain letters and numbers > 2. Must be at least 8 characters long > 3. Must contain one special character (#,@,$,%,!, etc) > 4. Password (not the account) must expire after 90 days > 5. Must warn users 10 days before the expire to change the password Look at my chkpass type in contrib. There is a function to verify the password. It is just a placeholder now but you can modify it to do all your checking. Policies 4 & 5 may require further work either in the chkpass type or with a separate field. Details are hard to suggest as I can think of three or four methods right away but it all depends on more detailed requirements to determine the best one. Non-database related suggestion: Reconsider 4 & 5 anyway. Forcing people to change their passwords all the time is less secure, not more. In those situations you tend to find a lot more passwords on post-it notes and in clear text files. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
D'Arcy J.M. Cain wrote: > On Tue, 15 Jan 2008 16:11:16 -0600 > "Roberts, Jon" <Jon.Roberts@asurion.com> wrote: > >> I need to set a basic password policy for accounts but I don't see any >> documentation on how to do it. I'm assuming there is a way to do this, >> maybe even with a trigger. >> >> The policy would be something like this: >> 1. Must contain letters and numbers >> 2. Must be at least 8 characters long >> 3. Must contain one special character (#,@,$,%,!, etc) >> 4. Password (not the account) must expire after 90 days >> 5. Must warn users 10 days before the expire to change the password >> > > Look at my chkpass type in contrib. There is a function to verify the > password. It is just a placeholder now but you can modify it to do all > your checking. > > I assumed he was asking about Postgres level passwords rather than passwords maintained by an application. chkpass is only for the latter. ( Slightly OT - chkpass uses crypt(). Maybe that should be upgraded to use md5 or some more modern hashing function. ) cheers andrew
On Wed, 16 Jan 2008 08:32:12 -0500 Andrew Dunstan <andrew@dunslane.net> wrote: > >> I need to set a basic password policy for accounts but I don't see any > > Look at my chkpass type in contrib. There is a function to verify the > > password. It is just a placeholder now but you can modify it to do all > > your checking. > > I assumed he was asking about Postgres level passwords rather than > passwords maintained by an application. chkpass is only for the latter. Could be. I saw "accounts" and thought Unix shell or ISP accounts. > ( Slightly OT - chkpass uses crypt(). Maybe that should be upgraded to > use md5 or some more modern hashing function. ) Yes, I have said many times that other encryption types could easily be dropped in. It could even be changed to handle either as long as there was some way to set the default. However, these things haven't yet been a requirement for me so I have not bothered yet. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
> -----Original Message----- > From: D'Arcy J.M. Cain [mailto:darcy@druid.net] > Sent: Wednesday, January 16, 2008 9:39 AM > To: Andrew Dunstan > Cc: Roberts, Jon; pgsql-hackers@postgresql.org > Subject: Re: [HACKERS] Password policy > > On Wed, 16 Jan 2008 08:32:12 -0500 > Andrew Dunstan <andrew@dunslane.net> wrote: > > >> I need to set a basic password policy for accounts but I don't see > any > > > Look at my chkpass type in contrib. There is a function to verify the > > > password. It is just a placeholder now but you can modify it to do > all > > > your checking. > > > > I assumed he was asking about Postgres level passwords rather than > > passwords maintained by an application. chkpass is only for the latter. > > Could be. I saw "accounts" and thought Unix shell or ISP accounts. > I was referring to PostgreSQL accounts. Jon
On Wednesday 16 January 2008 08:32, Andrew Dunstan wrote: > ( Slightly OT - chkpass uses crypt(). Maybe that should be upgraded to > use md5 or some more modern hashing function. ) Some versions of crypt() will generate md5 hashes if you start the salt with $1$<salt>$. I know this to work on FreeBSD, NetBSD, and Fedora core, and I believe it also works on other Linux distributions and Solaris. I have a patch to chkpass.c which will do this based on a custom GUC. The nice thing about this is that it continues to work with mod_auth_pgsql. I did have to change the on-disk representation to fit in the extra data. D'Arcy, if you're interested I'll send you a patch. -- Patrick TJ McPhee <pmcphee@givex.com>