| From: | Agil Azimov <agil(dot)azimov(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-novice(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Password settings requirements |
| Date: | 2021-10-12 16:46:44 |
| Message-ID: | CAEQStSu8v2C8sJcMxk_h=9Kq=Ano0T8kXg6a0L9iOZ8UTVpwBQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
Thank you for your message. Will I be able to set all the settings I
mentioned before if I will set SCRAM?
On Tue, 12 Oct 2021, 7:53 pm Tom Lane, <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Agil Azimov <agil(dot)azimov(at)gmail(dot)com> writes:
> > Need to check the password settings in postgre such as Password minimal
> > length, password complexity, password maximal age, password history and
> > account lockout threshold.
> > I need to set these parameters to make the comply with the best practices
>
> If you're intent on doing things that way, you can set up Postgres
> to use PAM authentication, and then the PAM end of things can be
> configured with all kinds of options like that.
>
> Personally though, I'd push back on those requirements. The fundamental
> problem with doing anything like that is that you cannot check password
> length, complexity, etc without users having to send their cleartext
> passwords to the server, which is a much bigger security fail than
> anything appearing on your list. Best practice these days is to use
> SCRAM, which never exposes the cleartext password to the server.
>
> regards, tom lane
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2021-10-12 23:28:23 | Re: Password settings requirements |
| Previous Message | Agil Azimov | 2021-10-12 16:43:30 | Re: Password settings requirements |