| From: | Greg Sabino Mullane <htamfids(at)gmail(dot)com> |
|---|---|
| To: | Martin Goodson <kaemaril(at)googlemail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Password complexity/history - credcheck? |
| Date: | 2024-06-23 15:09:26 |
| Message-ID: | CAKAnmmL7a20MKmjJuQZsrZPqCoSfdi5xpCtL4eqTxmcCKefC6Q@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Sun, Jun 23, 2024 at 5:30 AM Martin Goodson <kaemaril(at)googlemail(dot)com>
wrote:
> I believe that our security team is getting most of this from our
> auditors, who seem convinced that minimal complexity, password history
> etc are the way to go despite the fact that, as you say, server-side
> password checks can't really be implemented when the database receives a
> hash rather than a clear text password and password minimal complexity
> etc is not perhaps considered the gold standard it once was.
>
> In fact, I think they see a hashed password as a disadvantage.
Wow, full stop right there. This is a hill to die on.
Push back and get some competent auditors. This should not be a DBAs
problem. Your best bet is to use Kerberos, and throw the password
requirements out of the database realm entirely.
Also, the discussion should be about 2FA, not password history/complexity.
Cheers,
Greg
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2024-06-23 15:48:15 | Re: Stack Smashing Detected When Executing initdb |
| Previous Message | Xu Haorong | 2024-06-23 14:20:36 | 回复: Stack Smashing Detected When Executing initdb |