Re: Password complexity/history - credcheck?

Martin Goodson <kaemaril(at)googlemail(dot)com> writes:
> Recently our security team have wanted to apply password complexity
> checks akin to Oracle's profile mechanism to PostgreSQL, checking that a
> password hasn't been used in x months etc, has minimum length, x special
> characters and x numeric characters, mixed case etc.

Don't suppose it would help to push back on whether your security
team knows what they're doing.

The really key reason why server-side password checks are not as
bright an idea as they sound is that they cannot be implemented
without forcing the client to transmit the password in cleartext.
It's widely considered best practice if the server *never* sees
the user's cleartext password, because then it can't leak, either
from sniffing the connection or scraping the postmaster log.

I believe that practices such as forcing a password change every
X amount of time are not viewed as favorably as they once were,
either. (The argument is that that discourages users from putting
any serious thought into choosing an uncrackable password, and
might well encourage them to write down their current and last few
passwords somewhere.)

Anyway, considerations like these are why there's not features
of this sort in community PG. You can use an extension that
applies some checks, but there's no good way around the "needs
cleartext password" problem for that.

regards, tom lane