SEO

I need to set a basic password policy for accounts but I don't see any
documentation on how to do it. I'm assuming there is a way to do this,
maybe even with a trigger.

The policy would be something like this:
1. Must contain letters and numbers
2. Must be at least 8 characters long
3. Must contain one special character (#,@,$,%,!, etc)
4. Password (not the account) must expire after 90 days
5. Must warn users 10 days before the expire to change the password


Jon

---------------------------(end of broadcast)---------------------------
TIP 7: You can help support the PostgreSQL project by donating at

http://www.postgresql.org/about/donate

Roberts, Jon wrote:
> I need to set a basic password policy for accounts but I don't see any
> documentation on how to do it. I'm assuming there is a way to do this,
> maybe even with a trigger.
>
> The policy would be something like this:
> 1. Must contain letters and numbers
> 2. Must be at least 8 characters long
> 3. Must contain one special character (#,@,$,%,!, etc)
> 4. Password (not the account) must expire after 90 days
> 5. Must warn users 10 days before the expire to change the password
>
>
>

This question really belongs on the -general list, not the -hackers list
(as do all questions about usage).

The short answer is "not really". You could use an external password
source like PAM or LDAP that enforced such restrictions.

cheers

andrew

---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq

On Tue, 15 Jan 2008 16:11:16 -0600
"Roberts, Jon" <Jon.Roberts@asurion.com> wrote:
> I need to set a basic password policy for accounts but I don't see any
> documentation on how to do it. I'm assuming there is a way to do this,
> maybe even with a trigger.
>
> The policy would be something like this:
> 1. Must contain letters and numbers
> 2. Must be at least 8 characters long
> 3. Must contain one special character (#,@,$,%,!, etc)
> 4. Password (not the account) must expire after 90 days
> 5. Must warn users 10 days before the expire to change the password

Look at my chkpass type in contrib. There is a function to verify the
password. It is just a placeholder now but you can modify it to do all
your checking.

Policies 4 & 5 may require further work either in the chkpass type or
with a separate field. Details are hard to suggest as I can think of
three or four methods right away but it all depends on more detailed
requirements to determine the best one.

Non-database related suggestion: Reconsider 4 & 5 anyway. Forcing
people to change their passwords all the time is less secure, not
more. In those situations you tend to find a lot more passwords on
post-it notes and in clear text files.

--
D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.

---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster

D'Arcy J.M. Cain wrote:
> On Tue, 15 Jan 2008 16:11:16 -0600
> "Roberts, Jon" <Jon.Roberts@asurion.com> wrote:
>
>> I need to set a basic password policy for accounts but I don't see any
>> documentation on how to do it. I'm assuming there is a way to do this,
>> maybe even with a trigger.
>>
>> The policy would be something like this:
>> 1. Must contain letters and numbers
>> 2. Must be at least 8 characters long
>> 3. Must contain one special character (#,@,$,%,!, etc)
>> 4. Password (not the account) must expire after 90 days
>> 5. Must warn users 10 days before the expire to change the password
>>
>
> Look at my chkpass type in contrib. There is a function to verify the
> password. It is just a placeholder now but you can modify it to do all
> your checking.
>
>

I assumed he was asking about Postgres level passwords rather than
passwords maintained by an application. chkpass is only for the latter.

( Slightly OT - chkpass uses crypt(). Maybe that should be upgraded to
use md5 or some more modern hashing function. )

cheers

andrew

---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match

On Wed, 16 Jan 2008 08:32:12 -0500
Andrew Dunstan <andrew@dunslane.net> wrote:
> >> I need to set a basic password policy for accounts but I don't see any
> > Look at my chkpass type in contrib. There is a function to verify the
> > password. It is just a placeholder now but you can modify it to do all
> > your checking.
>
> I assumed he was asking about Postgres level passwords rather than
> passwords maintained by an application. chkpass is only for the latter.

Could be. I saw "accounts" and thought Unix shell or ISP accounts.

> ( Slightly OT - chkpass uses crypt(). Maybe that should be upgraded to
> use md5 or some more modern hashing function. )

Yes, I have said many times that other encryption types could easily be
dropped in. It could even be changed to handle either as long as there
was some way to set the default. However, these things haven't yet
been a requirement for me so I have not bothered yet.

--
D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.

---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly

On Wednesday 16 January 2008 08:32, Andrew Dunstan wrote:

> ( Slightly OT - chkpass uses crypt(). Maybe that should be upgraded to
> use md5 or some more modern hashing function. )

Some versions of crypt() will generate md5 hashes if you start the salt with
$1$<salt>$. I know this to work on FreeBSD, NetBSD, and Fedora core, and I
believe it also works on other Linux distributions and Solaris. I have a
patch to chkpass.c which will do this based on a custom GUC. The nice thing
about this is that it continues to work with mod_auth_pgsql. I did have to
change the on-disk representation to fit in the extra data.

D'Arcy, if you're interested I'll send you a patch.

--
Patrick TJ McPhee <pmcphee@givex.com>


---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly