Password policy

Roberts, Jon wrote:

I need to set a basic password policy for accounts but I don't see any
documentation on how to do it. I'm assuming there is a way to do this,
maybe even with a trigger.

The policy would be something like this:
1. Must contain letters and numbers
2. Must be at least 8 characters long
3. Must contain one special character (#,@,$,%,!, etc)
4. Password (not the account) must expire after 90 days
5. Must warn users 10 days before the expire to change the password

This question really belongs on the -general list, not the -hackers list
(as do all questions about usage).

The short answer is "not really". You could use an external password
source like PAM or LDAP that enforced such restrictions.

cheers

andrew

On Tue, 15 Jan 2008 16:11:16 -0600
"Roberts, Jon" <Jon.Roberts@asurion.com> wrote:

I need to set a basic password policy for accounts but I don't see any
documentation on how to do it. I'm assuming there is a way to do this,
maybe even with a trigger.

The policy would be something like this:
1. Must contain letters and numbers
2. Must be at least 8 characters long
3. Must contain one special character (#,@,$,%,!, etc)
4. Password (not the account) must expire after 90 days
5. Must warn users 10 days before the expire to change the password

Look at my chkpass type in contrib. There is a function to verify the
password. It is just a placeholder now but you can modify it to do all
your checking.

Policies 4 & 5 may require further work either in the chkpass type or
with a separate field. Details are hard to suggest as I can think of
three or four methods right away but it all depends on more detailed
requirements to determine the best one.

Non-database related suggestion: Reconsider 4 & 5 anyway. Forcing
people to change their passwords all the time is less secure, not
more. In those situations you tend to find a lot more passwords on
post-it notes and in clear text files.

-- 
D'Arcy J.M. Cain <darcy@druid.net>         |  Democracy is three wolves
http://www.druid.net/darcy/                |  and a sheep voting on
+1 416 425 1212     (DoD#0082)    (eNTP)   |  what's for dinner.

D'Arcy J.M. Cain wrote:

On Tue, 15 Jan 2008 16:11:16 -0600
"Roberts, Jon" <Jon.Roberts@asurion.com> wrote:

I need to set a basic password policy for accounts but I don't see any
documentation on how to do it. I'm assuming there is a way to do this,
maybe even with a trigger.

The policy would be something like this:
1. Must contain letters and numbers
2. Must be at least 8 characters long
3. Must contain one special character (#,@,$,%,!, etc)
4. Password (not the account) must expire after 90 days
5. Must warn users 10 days before the expire to change the password

Look at my chkpass type in contrib. There is a function to verify the
password. It is just a placeholder now but you can modify it to do all
your checking.

I assumed he was asking about Postgres level passwords rather than
passwords maintained by an application. chkpass is only for the latter.

( Slightly OT - chkpass uses crypt(). Maybe that should be upgraded to
use md5 or some more modern hashing function. )

cheers

andrew

On Wed, 16 Jan 2008 08:32:12 -0500
Andrew Dunstan <andrew@dunslane.net> wrote:

I need to set a basic password policy for accounts but I don't see any

Look at my chkpass type in contrib. There is a function to verify the
password. It is just a placeholder now but you can modify it to do all
your checking.

I assumed he was asking about Postgres level passwords rather than
passwords maintained by an application. chkpass is only for the latter.

Could be. I saw "accounts" and thought Unix shell or ISP accounts.

( Slightly OT - chkpass uses crypt(). Maybe that should be upgraded to
use md5 or some more modern hashing function. )

Yes, I have said many times that other encryption types could easily be
dropped in. It could even be changed to handle either as long as there
was some way to set the default. However, these things haven't yet
been a requirement for me so I have not bothered yet.

-- 
D'Arcy J.M. Cain <darcy@druid.net>         |  Democracy is three wolves
http://www.druid.net/darcy/                |  and a sheep voting on
+1 416 425 1212     (DoD#0082)    (eNTP)   |  what's for dinner.

-----Original Message-----
From: D'Arcy J.M. Cain [mailto:darcy@druid.net]
Sent: Wednesday, January 16, 2008 9:39 AM
To: Andrew Dunstan
Cc: Roberts, Jon; pgsql-hackers@postgresql.org
Subject: Re: [HACKERS] Password policy

On Wed, 16 Jan 2008 08:32:12 -0500
Andrew Dunstan <andrew@dunslane.net> wrote:

I need to set a basic password policy for accounts but I don't see

any

Look at my chkpass type in contrib. There is a function to verify the
password. It is just a placeholder now but you can modify it to do

all

your checking.

I assumed he was asking about Postgres level passwords rather than
passwords maintained by an application. chkpass is only for the latter.

Could be. I saw "accounts" and thought Unix shell or ISP accounts.

I was referring to PostgreSQL accounts.

Jon

On Wednesday 16 January 2008 08:32, Andrew Dunstan wrote:

( Slightly OT - chkpass uses crypt(). Maybe that should be upgraded to
use md5 or some more modern hashing function. )

Some versions of crypt() will generate md5 hashes if you start the salt with
$1$<salt>$. I know this to work on FreeBSD, NetBSD, and Fedora core, and I
believe it also works on other Linux distributions and Solaris. I have a
patch to chkpass.c which will do this based on a custom GUC. The nice thing
about this is that it continues to work with mod_auth_pgsql. I did have to
change the on-disk representation to fit in the extra data.

D'Arcy, if you're interested I'll send you a patch.

--
Patrick TJ McPhee <pmcphee@givex.com>