Password complexity/history - credcheck?
Hello.
Recently our security team have wanted to apply password complexity
checks akin to Oracle's profile mechanism to PostgreSQL, checking that a
password hasn't been used in x months etc, has minimum length, x special
characters and x numeric characters, mixed case etc.
As far as I'm aware there's nothing part of the standard 'community
edition' which gives us that, apart from passwordcheck - which doesn't
give you a password history.
Can anyone recommend a good mechanism to accomodate this? Ideally we're
looking for something well-established, reliable, and easily
configurable. Does anything spring to mind?
A colleague has been looking around, and stumbled across
https://github.com/MigOpsRepos/credcheck. Does anyone have any positive
(or negative) experience with this? I'm happy to download and apply to a
test database, obviously, but some indication of whether or not it's
worth looking at first would be greatly appreciated. Is this something
that the community would recommend?
Many thanks!
--
Martin Goodson.
"Have you thought up some clever plan, Doctor?"
"Yes, Jamie, I believe I have."
"What're you going to do?"
"Bung a rock at it."
Martin Goodson <kaemaril@googlemail.com> writes:
Recently our security team have wanted to apply password complexity
checks akin to Oracle's profile mechanism to PostgreSQL, checking that a
password hasn't been used in x months etc, has minimum length, x special
characters and x numeric characters, mixed case etc.
Don't suppose it would help to push back on whether your security
team knows what they're doing.
The really key reason why server-side password checks are not as
bright an idea as they sound is that they cannot be implemented
without forcing the client to transmit the password in cleartext.
It's widely considered best practice if the server *never* sees
the user's cleartext password, because then it can't leak, either
from sniffing the connection or scraping the postmaster log.
I believe that practices such as forcing a password change every
X amount of time are not viewed as favorably as they once were,
either. (The argument is that that discourages users from putting
any serious thought into choosing an uncrackable password, and
might well encourage them to write down their current and last few
passwords somewhere.)
Anyway, considerations like these are why there's not features
of this sort in community PG. You can use an extension that
applies some checks, but there's no good way around the "needs
cleartext password" problem for that.
regards, tom lane
On Sat, Jun 22, 2024 at 7:28 PM Martin Goodson <kaemaril@googlemail.com>
wrote:
Hello.
Recently our security team have wanted to apply password complexity
checks akin to Oracle's profile mechanism to PostgreSQL, checking that a
password hasn't been used in x months
There would have to be a pg_catalog table which stores login history.
etc, has minimum length, x special
characters and x numeric characters, mixed case etc.
Is that an after-the-fact scanner (with all the problems Tom mentioned), or
is it a client-side "check while you're typing in the *new* password"
scanner?
On 23/06/2024 01:23, Tom Lane wrote:
Don't suppose it would help to push back on whether your security
team knows what they're doing.
...
Anyway, considerations like these are why there's not features
of this sort in community PG. You can use an extension that
applies some checks, but there's no good way around the "needs
cleartext password" problem for that.regards, tom lane
I believe that our security team is getting most of this from our
auditors, who seem convinced that minimal complexity, password history
etc are the way to go despite the fact that, as you say, server-side
password checks can't really be implemented when the database receives a
hash rather than a clear text password and password minimal complexity
etc is not perhaps considered the gold standard it once was.
In fact, I think they see a hashed password as a disadvantage.
credcheck seems to satisfy their requirements - password complexity,
password history, etc but - and this is the crucial bit - only on
cleartext passwords.
If I'm forced to go to cleartext passwords, which would be a nightmare,
credcheck might be worth looking at, but I'm not sure whether or not it
is well adopted, reliable, and without significant issues. I only heard
about it a few days ago from a friend/colleague, so I was wondering if
anybody else was using it and what experiences with it might be.
Regards,
Martin.
--
Martin Goodson.
"Have you thought up some clever plan, Doctor?"
"Yes, Jamie, I believe I have."
"What're you going to do?"
"Bung a rock at it."
## Martin Goodson (kaemaril@googlemail.com):
I believe that our security team is getting most of this from our
auditors, who seem convinced that minimal complexity, password history
etc are the way to go despite the fact that, as you say, server-side
password checks can't really be implemented when the database receives
a hash rather than a clear text password and password minimal
complexity etc is not perhaps considered the gold standard it once
was.
The current state of the art is documented (as in, "official", for
arguing with auditors) at
https://pages.nist.gov/800-63-3/sp800-63b.html#sec5
My advice would be to not use secrets stored in the database -
that is, do not use scram-sha-256 - but use an external authentication
system, like Kerberos (might be AD) or LDAP (might also be AD) and have
that managed by the security team: that way all these compliance
topics which they brought up also become their problem :) and a lot
of the processes of recovering and disabling accounts and changing
passords move into a central location, which is most often a good thing[tm].
Or maybe move to client certificates, but if you're managing more
than a few personal accounts rotating certificates might become a
hassle (depending on your user base).
Regards,
Christoph
--
Spare Space
On 23/06/2024 11:49, Christoph Moench-Tegeder wrote:
My advice would be to not use secrets stored in the database -
that is, do not use scram-sha-256 - but use an external authentication
system, like Kerberos (might be AD) or LDAP (might also be AD) and have
that managed by the security team: that way all these compliance
Crikey, that would be quite a lot of lot of SSL/TLS to set up. We have
quite a few (massive understatement :( ... ) PostgreSQL database
clusters spread over quite a lot (another understatement) of VMs.
The last time I suggested LDAP there was a lot of enthusiasm ... until
they went down and looked at what might have to be done, after which it
all became very quiet ...
Regards,
Martin.
On Sun, Jun 23, 2024 at 5:30 AM Martin Goodson <kaemaril@googlemail.com>
wrote:
I believe that our security team is getting most of this from our
auditors, who seem convinced that minimal complexity, password history
etc are the way to go despite the fact that, as you say, server-side
password checks can't really be implemented when the database receives a
hash rather than a clear text password and password minimal complexity
etc is not perhaps considered the gold standard it once was.In fact, I think they see a hashed password as a disadvantage.
Wow, full stop right there. This is a hill to die on.
Push back and get some competent auditors. This should not be a DBAs
problem. Your best bet is to use Kerberos, and throw the password
requirements out of the database realm entirely.
Also, the discussion should be about 2FA, not password history/complexity.
Cheers,
Greg
On Sun, 2024-06-23 at 14:14 +0100, Martin Goodson wrote:
On 23/06/2024 11:49, Christoph Moench-Tegeder wrote:
My advice would be to not use secrets stored in the database -
that is, do not use scram-sha-256 - but use an external authentication
system, like Kerberos (might be AD) or LDAP (might also be AD) and have
that managed by the security team: that way all these complianceCrikey, that would be quite a lot of lot of SSL/TLS to set up. We have quite a
few (massive understatement :( ... ) PostgreSQL database clusters spread over
quite a lot (another understatement) of VMs.The last time I suggested LDAP there was a lot of enthusiasm ... until they went
down and looked at what might have to be done, after which it all became very quiet ...
Yes, LDAP is not perfect for that - for one, every connection to the database would
also hit the LDAP server.
Kerberos or certificate authentication is probably better.
For many PostgreSQL clusters and clients, that might be a lot of work.
But not all your PostgreSQL databases will contain equally sensitive data.
You could start with the important ones, try to automatize as much as possible,
and roll out the changes over time.
Yours,
Laurenz Albe
On Sun, Jun 23, 2024 at 10:10 AM Greg Sabino Mullane <htamfids@gmail.com>
wrote:
On Sun, Jun 23, 2024 at 5:30 AM Martin Goodson <kaemaril@googlemail.com>
wrote:I believe that our security team is getting most of this from our
auditors, who seem convinced that minimal complexity, password history
etc are the way to go despite the fact that, as you say, server-side
password checks can't really be implemented when the database receives a
hash rather than a clear text password and password minimal complexity
etc is not perhaps considered the gold standard it once was.In fact, I think they see a hashed password as a disadvantage.
Wow, full stop right there. This is a hill to die on.
Push back and get some competent auditors. This should not be a DBAs
problem. Your best bet is to use Kerberos, and throw the password
requirements out of the database realm entirely.Also, the discussion should be about 2FA, not password history/complexity.
Hmmmmmmm - - - - 2FA - - - - what I've seen of it so far is that
authentication is most often done
using totally insecure tools (emailing some numbers or using SMS). Now if
you were espousing
the use of security dongles and such I would agree - - - - otherwise you
are promoting the veneering
of insecurity on insecurity with the hope that this helps.
IMO having excellent passwords far trumps even 2FA - - - - 2FA is useful
when simple or quite
easily broken passwords are required. Now when you add the lack of SMS
possibilities (due to lack of signal) 2FA is an usually potent PITA because
of course SMS 'always' works (except it doesn't(!!!!!!!!!!!!!!!!)).
(Can you tell that I've been bitten in the posterior repeatedly with this
garbage?)
Regards
On Mon, Jun 24, 2024 at 8:00 PM o1bigtenor <o1bigtenor@gmail.com> wrote:
On Sun, Jun 23, 2024 at 10:10 AM Greg Sabino Mullane <htamfids@gmail.com>
wrote:On Sun, Jun 23, 2024 at 5:30 AM Martin Goodson <kaemaril@googlemail.com>
wrote:I believe that our security team is getting most of this from our
auditors, who seem convinced that minimal complexity, password history
etc are the way to go despite the fact that, as you say, server-side
password checks can't really be implemented when the database receives a
hash rather than a clear text password and password minimal complexity
etc is not perhaps considered the gold standard it once was.In fact, I think they see a hashed password as a disadvantage.
Wow, full stop right there. This is a hill to die on.
Push back and get some competent auditors. This should not be a DBAs
problem. Your best bet is to use Kerberos, and throw the password
requirements out of the database realm entirely.Also, the discussion should be about 2FA, not password history/complexity.
Hmmmmmmm - - - - 2FA - - - - what I've seen of it so far is that
authentication is most often done
using totally insecure tools (emailing some numbers or using SMS). Now if
you were espousing
the use of security dongles and such I would agree - - - - otherwise you
are promoting the veneering
of insecurity on insecurity with the hope that this helps.IMO having excellent passwords far trumps even 2FA - - - - 2FA is useful
when simple or quite
easily broken passwords are required. Now when you add the lack of SMS
possibilities (due to lack of signal) 2FA is an usually potent PITA because
of course SMS 'always' works (except it doesn't(!!!!!!!!!!!!!!!!)).(Can you tell that I've been bitten in the posterior repeatedly with this
garbage?)
For 2FA, a simple solution is to require a password plus
clientcert=sameuser. This allows you to authorize devices/user accounts
for specific remote database connections and provides that second factor --
i.e. something you have as well as something you know.
Regards
--
Best Wishes,
Chris Travers
Efficito: Hosted Accounting and ERP. Robust and Flexible. No vendor
lock-in.
http://www.efficito.com/learn_more
## Martin Goodson (kaemaril@googlemail.com):
Crikey, that would be quite a lot of lot of SSL/TLS to set up. We
have quite a few (massive understatement :( ... ) PostgreSQL database
clusters spread over quite a lot (another understatement) of VMs.
No matter what: you'll have to touch all your instances anyways.
The good thing is that all the options (including TLS) can be
automatically deployed iff you're set up for that - and you should
be, especially when you have "many" databases.
The last time I suggested LDAP there was a lot of enthusiasm ... until
they went down and looked at what might have to be done, after which
it all became very quiet ...
With "many" databases and personal accounts, you should have some
sort of central management (else even an inventory of the accounts
("who can access what") is a nightmare). Finding the best ways towards
that goal for your organization could be beyond the scope of an email
list - but I'd start with looking at what you already have. I mentioned
LDAP because all too often that's the system which you can most easily
get access to (but depending on your environment, that might mot be
the best solution).
Regards,
Christoph
--
Spare Space.