Re: Password policy

On Tue, 15 Jan 2008 16:11:16 -0600
"Roberts, Jon" <Jon(dot)Roberts(at)asurion(dot)com> wrote:
> I need to set a basic password policy for accounts but I don't see any
> documentation on how to do it. I'm assuming there is a way to do this,
> maybe even with a trigger.
>
> The policy would be something like this:
> 1. Must contain letters and numbers
> 2. Must be at least 8 characters long
> 3. Must contain one special character (#,@,$,%,!, etc)
> 4. Password (not the account) must expire after 90 days
> 5. Must warn users 10 days before the expire to change the password

Look at my chkpass type in contrib. There is a function to verify the
password. It is just a placeholder now but you can modify it to do all
your checking.

Policies 4 & 5 may require further work either in the chkpass type or
with a separate field. Details are hard to suggest as I can think of
three or four methods right away but it all depends on more detailed
requirements to determine the best one.

Non-database related suggestion: Reconsider 4 & 5 anyway. Forcing
people to change their passwords all the time is less secure, not
more. In those situations you tend to find a lot more passwords on
post-it notes and in clear text files.

--
D'Arcy J.M. Cain <darcy(at)druid(dot)net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.