Re: 2FA - - - was Re: Password complexity/history - credcheck?

On Mon, Jun 24, 2024 at 8:00 PM o1bigtenor <o1bigtenor(at)gmail(dot)com> wrote:

>
>
> On Sun, Jun 23, 2024 at 10:10 AM Greg Sabino Mullane <htamfids(at)gmail(dot)com>
> wrote:
>
>> On Sun, Jun 23, 2024 at 5:30 AM Martin Goodson <kaemaril(at)googlemail(dot)com>
>> wrote:
>>
>>> I believe that our security team is getting most of this from our
>>> auditors, who seem convinced that minimal complexity, password history
>>> etc are the way to go despite the fact that, as you say, server-side
>>> password checks can't really be implemented when the database receives a
>>> hash rather than a clear text password and password minimal complexity
>>> etc is not perhaps considered the gold standard it once was.
>>>
>>> In fact, I think they see a hashed password as a disadvantage.
>>
>>
>> Wow, full stop right there. This is a hill to die on.
>>
>> Push back and get some competent auditors. This should not be a DBAs
>> problem. Your best bet is to use Kerberos, and throw the password
>> requirements out of the database realm entirely.
>>
>> Also, the discussion should be about 2FA, not password history/complexity.
>>
>>
> Hmmmmmmm - - - - 2FA - - - - what I've seen of it so far is that
> authentication is most often done
> using totally insecure tools (emailing some numbers or using SMS). Now if
> you were espousing
> the use of security dongles and such I would agree - - - - otherwise you
> are promoting the veneering
> of insecurity on insecurity with the hope that this helps.
>
> IMO having excellent passwords far trumps even 2FA - - - - 2FA is useful
> when simple or quite
> easily broken passwords are required. Now when you add the lack of SMS
> possibilities (due to lack of signal) 2FA is an usually potent PITA because
> of course SMS 'always' works (except it doesn't(!!!!!!!!!!!!!!!!)).
>
> (Can you tell that I've been bitten in the posterior repeatedly with this
> garbage?)
>

For 2FA, a simple solution is to require a password plus
clientcert=sameuser. This allows you to authorize devices/user accounts
for specific remote database connections and provides that second factor --
i.e. something you have as well as something you know.

>
>
> Regards
>

--
Best Wishes,
Chris Travers

Efficito: Hosted Accounting and ERP. Robust and Flexible. No vendor
lock-in.
http://www.efficito.com/learn_more