Обсуждение: Password settings requirements
Hi,
Need to check the password settings in postgre such as Password minimal length, password complexity, password maximal age, password history and account lockout threshold.
I need to set these parameters to make the comply with the best practices
Can you please help with this issue?
On Tue, Oct 12, 2021 at 07:00:17PM +0400, Agil Azimov wrote: > Need to check the password settings in postgre such as Password minimal > length, password complexity, password maximal age, password history and > account lockout threshold. > I need to set these parameters to make the comply with the best practices > Can you please help with this issue? Did you check this: https://www.postgresql.org/docs/current/passwordcheck.html ? Best regards, depesz
Agil Azimov <agil.azimov@gmail.com> writes: > Need to check the password settings in postgre such as Password minimal > length, password complexity, password maximal age, password history and > account lockout threshold. > I need to set these parameters to make the comply with the best practices If you're intent on doing things that way, you can set up Postgres to use PAM authentication, and then the PAM end of things can be configured with all kinds of options like that. Personally though, I'd push back on those requirements. The fundamental problem with doing anything like that is that you cannot check password length, complexity, etc without users having to send their cleartext passwords to the server, which is a much bigger security fail than anything appearing on your list. Best practice these days is to use SCRAM, which never exposes the cleartext password to the server. regards, tom lane
Yes I have checked it. The passwordcheck sets the predefined parameters which cannot be observed. I read somwhere that there is complexity check and password minimal length is set to 8 symbols. This doesn't work for me
On Tue, 12 Oct 2021, 7:26 pm hubert depesz lubaczewski, <depesz@depesz.com> wrote:
On Tue, Oct 12, 2021 at 07:00:17PM +0400, Agil Azimov wrote:
> Need to check the password settings in postgre such as Password minimal
> length, password complexity, password maximal age, password history and
> account lockout threshold.
> I need to set these parameters to make the comply with the best practices
> Can you please help with this issue?
Did you check this:
https://www.postgresql.org/docs/current/passwordcheck.html ?
Best regards,
depesz
Thank you for your message. Will I be able to set all the settings I mentioned before if I will set SCRAM?
On Tue, 12 Oct 2021, 7:53 pm Tom Lane, <tgl@sss.pgh.pa.us> wrote:
Agil Azimov <agil.azimov@gmail.com> writes:
> Need to check the password settings in postgre such as Password minimal
> length, password complexity, password maximal age, password history and
> account lockout threshold.
> I need to set these parameters to make the comply with the best practices
If you're intent on doing things that way, you can set up Postgres
to use PAM authentication, and then the PAM end of things can be
configured with all kinds of options like that.
Personally though, I'd push back on those requirements. The fundamental
problem with doing anything like that is that you cannot check password
length, complexity, etc without users having to send their cleartext
passwords to the server, which is a much bigger security fail than
anything appearing on your list. Best practice these days is to use
SCRAM, which never exposes the cleartext password to the server.
regards, tom lane
On Tue, Oct 12, 2021 at 08:46:44PM +0400, Agil Azimov wrote: > Thank you for your message. Will I be able to set all the settings I mentioned > before if I will set SCRAM? No. I think you need to use PAM or something like that if you want those requirements. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.
Thank you for your reply! I would like to check the current password requirements of PostgreSQL server. Could you please let me know which command will show me the
1. Minimal requirements for password length
2. Maximum password age
3. If the password complexity requirements are turned on.
4. Password history requirement - number of passwords
5. Account lockout threshold.
I appreciate you support.
On Wed, Oct 13, 2021 at 3:28 AM Bruce Momjian <bruce@momjian.us> wrote:
On Tue, Oct 12, 2021 at 08:46:44PM +0400, Agil Azimov wrote:
> Thank you for your message. Will I be able to set all the settings I mentioned
> before if I will set SCRAM?
No. I think you need to use PAM or something like that if you want
those requirements.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
If only the physical world exists, free will is an illusion.
I know that the authentication md5 is used .
On Tue, Oct 19, 2021 at 11:38 AM Agil Azimov <agil.azimov@gmail.com> wrote:
Thank you for your reply! I would like to check the current password requirements of PostgreSQL server. Could you please let me know which command will show me the1. Minimal requirements for password length2. Maximum password age3. If the password complexity requirements are turned on.4. Password history requirement - number of passwords5. Account lockout threshold.I appreciate you support.On Wed, Oct 13, 2021 at 3:28 AM Bruce Momjian <bruce@momjian.us> wrote:On Tue, Oct 12, 2021 at 08:46:44PM +0400, Agil Azimov wrote:
> Thank you for your message. Will I be able to set all the settings I mentioned
> before if I will set SCRAM?
No. I think you need to use PAM or something like that if you want
those requirements.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
If only the physical world exists, free will is an illusion.
On Tue, 2021-10-19 at 11:38 +0400, Agil Azimov wrote: > > On Wed, Oct 13, 2021 at 3:28 AM Bruce Momjian <bruce@momjian.us> wrote: > > On Tue, Oct 12, 2021 at 08:46:44PM +0400, Agil Azimov wrote: > > > Thank you for your message. Will I be able to set all the settings I mentioned > > > before if I will set SCRAM? > > > > No. I think you need to use PAM or something like that if you want > > those requirements. > > > Thank you for your reply! I would like to check the current password requirements of PostgreSQL server. Could you pleaselet me know which command will show me the > 1. Minimal requirements for password length > 2. Maximum password age > 3. If the password complexity requirements are turned on. > 4. Password history requirement - number of passwords > 5. Account lockout threshold. > > I appreciate you support. As Bruce said, there are no such requirements. You will have to manage your passwords outside of PostgreSQL if you need to impose password rules. PAM, the pluggabla authentication mocule of Linux, is one way of doing that. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com