| From: | Scott Ribe <scott_ribe(at)elevated-dev(dot)com> |
|---|---|
| To: | Gavan Schneider <list(dot)pg(dot)gavan(at)pendari(dot)org> |
| Cc: | pgsql-admin <pgsql-admin(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Password authorization |
| Date: | 2022-01-20 23:12:03 |
| Message-ID: | CCF10D3D-B013-4736-AAE7-84043553C1BA@elevated-dev.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
> On Jan 20, 2022, at 3:52 PM, Gavan Schneider <list(dot)pg(dot)gavan(at)pendari(dot)org> wrote:
>
> On 21 Jan 2022, at 3:24, Daulat wrote:
>
>> Yes, you are right, I am planning for password complexity rules and to, force users to change their password.
>>
> While you are in the planning stages you may wish to review current best practice, e.g., USA National Institute of Standards and Technology.
>
> For me the most interesting aspect of the revised standard is how forcing password changes and complexity rules often leads to reduced security in the real world.
>
> Refer:
> https://pages.nist.gov/800-63-3/sp800-63-3.html
> https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/ (for a more human readable version :)
>
> Regards
>
> Gavan Schneider
Slightly off-topic, but I once ran into a system that would not allow kk1bsk#$ as a password because it contained a dictionary word.
Still wondering what dictionary they were using...
| From | Date | Subject | |
|---|---|---|---|
| Next Message | ryaz aws | 2022-01-21 03:46:53 | PGAdmin - psql tool issue |
| Previous Message | Gavan Schneider | 2022-01-20 22:52:27 | Re: Password authorization |