| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Agil Azimov <agil(dot)azimov(at)gmail(dot)com> |
| Cc: | pgsql-novice(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Password settings requirements |
| Date: | 2021-10-12 15:53:38 |
| Message-ID: | 577837.1634054018@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
Agil Azimov <agil(dot)azimov(at)gmail(dot)com> writes:
> Need to check the password settings in postgre such as Password minimal
> length, password complexity, password maximal age, password history and
> account lockout threshold.
> I need to set these parameters to make the comply with the best practices
If you're intent on doing things that way, you can set up Postgres
to use PAM authentication, and then the PAM end of things can be
configured with all kinds of options like that.
Personally though, I'd push back on those requirements. The fundamental
problem with doing anything like that is that you cannot check password
length, complexity, etc without users having to send their cleartext
passwords to the server, which is a much bigger security fail than
anything appearing on your list. Best practice these days is to use
SCRAM, which never exposes the cleartext password to the server.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Agil Azimov | 2021-10-12 16:43:30 | Re: Password settings requirements |
| Previous Message | hubert depesz lubaczewski | 2021-10-12 15:26:01 | Re: Password settings requirements |