password administration

Hi postgres gurus:

I would like to set up a facility that enforces password changes for roles
After a predefined period (30 days for instance) when logging into psql
Or, at the very least, send an email out to notify that your current=20
Password period is about to expire. Preferably, I'd like to use
The 'rolvaliduntil' column in pg_roles.

I'm wondering if there is an app inside or outside of postgres
that I can use or do I have to design from scratch.

Thanks for your time,


Mark Steben=A0|=A0Database Administrator=A0
@utoRevenue=AE - "Keeping Customers Close"=A0
95D Ashley Ave, West Springfield, MA 01089=20
413.243.4800 x1512 (Phone) |413.732-1824 (Fax)=20
@utoRevenue is a registered trademark and a division of Dominion
Enterprises=A0
=A0




--=20
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: password administration

On 8/5/10 12:58 PM, Mark Steben wrote:
> I would like to set up a facility that enforces password changes for roles
> After a predefined period (30 days for instance) when logging into psql
> Or, at the very least, send an email out to notify that your current
> Password period is about to expire. Preferably, I'd like to use
> The 'rolvaliduntil' column in pg_roles.
>
> I'm wondering if there is an app inside or outside of postgres
> that I can use or do I have to design from scratch.

This is an off-topic response, but security experts have said that this is a REALLY bad idea. It forces people to choose a new password, which means they can't remember it. So what do they do? They write it down. Anyone snooping around their office can find it.

Besides, when a password is stolen, it's usually used within minutes. Making everyone change every month does no good at all.

A better solution is to implement a password-strength algorithm and require people to select decent passwords to begin with.

Craig

--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: password administration

On Thu, Aug 5, 2010 at 2:20 PM, Craig James wr=
ote:
> On 8/5/10 12:58 PM, Mark Steben wrote:
>>
>> I would like to set up a facility that enforces password changes for rol=
es
>> After a predefined period (30 days for instance) when logging into psql
>> Or, at the very least, send an email out to notify that your current
>> Password period is about to expire. =A0Preferably, I'd like to use
>> The 'rolvaliduntil' column in pg_roles.
>>
>> I'm wondering if there is an app inside or outside of postgres
>> that I can use or do I have to design from scratch.
>
> This is an off-topic response, but security experts have said that this i=
s a
> REALLY bad idea. =A0It forces people to choose a new password, which means
> they can't remember it. =A0So what do they do? =A0They write it down. =A0=
Anyone
> snooping around their office can find it.
>
> Besides, when a password is stolen, it's usually used within minutes.
> =A0Making everyone change every month does no good at all.
>
> A better solution is to implement a password-strength algorithm and requi=
re
> people to select decent passwords to begin with.

Exactly. If you allow simpler passwords that have to be changed you
get things like:

ilovemywife22 md5: b845aec254d018d118fe52c46ee8c98c

changed to

ilovemywife23 md5: 8c2b59e4d961478e3a9d5bd94979f329

You can't tell how close they are by the md5. If you try to prevent
people from reusing similar passwords, then you have to store either
the previous passwords (bad security) or something like a soundex of
the previous password (also bad security.)

Better to have strong passwords and intrusion detection.

--=20
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: password administration

"Mark Steben" writes:
> I would like to set up a facility that enforces password changes for roles
> After a predefined period (30 days for instance) when logging into psql
> Or, at the very least, send an email out to notify that your current
> Password period is about to expire.

Usually we suggest using PAM when you want to do this, as there's all
sorts of spare parts out there already for PAM-managed passwords.

(I concur with the response questioning whether forced password changes
are good policy, especially with an interval as short as that. But if
you've got bullheaded management to deal with, PAM is the place to
look.)

regards, tom lane

--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: password administration

On Thu, Aug 5, 2010 at 2:27 PM, Scott Marlowe wro=
te:
> On Thu, Aug 5, 2010 at 2:20 PM, Craig James =
wrote:
>> On 8/5/10 12:58 PM, Mark Steben wrote:
>>>
>>> I would like to set up a facility that enforces password changes for ro=
les
>>> After a predefined period (30 days for instance) when logging into psql
>>> Or, at the very least, send an email out to notify that your current
>>> Password period is about to expire. =A0Preferably, I'd like to use
>>> The 'rolvaliduntil' column in pg_roles.
>>>
>>> I'm wondering if there is an app inside or outside of postgres
>>> that I can use or do I have to design from scratch.
>>
>> This is an off-topic response, but security experts have said that this =
is a
>> REALLY bad idea. =A0It forces people to choose a new password, which mea=
ns
>> they can't remember it. =A0So what do they do? =A0They write it down. =
=A0Anyone
>> snooping around their office can find it.
>>
>> Besides, when a password is stolen, it's usually used within minutes.
>> =A0Making everyone change every month does no good at all.
>>
>> A better solution is to implement a password-strength algorithm and requ=
ire
>> people to select decent passwords to begin with.
>
> Exactly. =A0If you allow simpler passwords that have to be changed you
> get things like:
>
> ilovemywife22 =A0 md5: b845aec254d018d118fe52c46ee8c98c
>
> changed to
>
> ilovemywife23 =A0md5: 8c2b59e4d961478e3a9d5bd94979f329
>
> You can't tell how close they are by the md5. =A0If you try to prevent
> people from reusing similar passwords, then you have to store either
> the previous passwords (bad security) or something like a soundex of
> the previous password (also bad security.)
>
> Better to have strong passwords and intrusion detection.

Also, if you do get strong passwords but then force people to change
them every 30 days, they wind up forgetting them. Which leads to two
other unintended problems. Either the admins get real used to
resetting passwords and get lazy about checking who they're resetting
passwords for and when, creating openings for social engineering
hacks, or people start writing down their complex passwords and
putting them under their keyboards etc.

If you require annual or bi-annual password changes you're far less
likely to have these issues pop up.

Take it to the extreme, how about requiring password changes every
hour, or 4 times a day? How would you methods now change? Something
similar to this is those key fobs that generate a new pseudo random
key every x seconds, and you have to put in a recent one to log in.
That is far more uesful for security than changing passwords often is.

Anyway, like Tom said, externalize it with PAM.

--=20
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: password administration

Scott Marlowe writes:
> On Thu, Aug 5, 2010 at 2:20 PM, Craig James wrote:
>> A better solution is to implement a password-strength algorithm and require
>> people to select decent passwords to begin with.

> Exactly. If you allow simpler passwords that have to be changed you
> get things like:

> ilovemywife22 md5: b845aec254d018d118fe52c46ee8c98c

> changed to

> ilovemywife23 md5: 8c2b59e4d961478e3a9d5bd94979f329

> You can't tell how close they are by the md5. If you try to prevent
> people from reusing similar passwords, then you have to store either
> the previous passwords (bad security) or something like a soundex of
> the previous password (also bad security.)

A place I know but won't name has a policy of storing your last five
passwords (hopefully in md5'd form, but I don't actually know that) and
not letting you reuse those. Of course this merely encourages people to
use a cycle of six or so passwords, like something they can remember
with one digit tagged on.

The real problem with any such policy is that what you actually want is
for people to use strong passwords that they can remember, and they are
never going to remember a good password if they have to invent a new one
every month. Aforesaid place has an administrative system that I have
to use maybe two or three times a year, with a password change interval
that is shorter than my average time between uses. Am I going to invent
a strong password that I will need to change the very next time I have
use for it? If I take the trouble, will I actually remember it next
time? Not a chance. So I write it down ... and I'm way more security
conscious than most people. Their loss for having a brain-dead password
policy.

regards, tom lane

--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: password administration

Also, for reference:

http://research.microsoft.com/en-us/people/cormac/

Specifically:

http://research.microsoft.com/users/cormac/papers/2009/SoLon gAndNoThanks.pdf

--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: password administration

Mark,

You could use LDAP to? that?

I use LDAP + apache

[]=B4s
Victor Hugo



2010/8/5 Tom Lane :
> "Mark Steben" writes:
>> I would like to set up a facility that enforces password changes for rol=
es
>> After a predefined period (30 days for instance) when logging into psql
>> Or, at the very least, send an email out to notify that your current
>> Password period is about to expire.
>
> Usually we suggest using PAM when you want to do this, as there's all
> sorts of spare parts out there already for PAM-managed passwords.
>
> (I concur with the response questioning whether forced password changes
> are good policy, especially with an interval as short as that. =A0But if
> you've got bullheaded management to deal with, PAM is the place to
> look.)
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0regards, tom lane
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
>



--=20
[]=B4s
Victor Hugo

--=20
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: password administration

Correcting.... I use LDAP + postgresql

2010/8/5 Victor Hugo :
> Mark,
>
> You could use LDAP to? that?
>
> I use LDAP + apache
>
> []=B4s
> Victor Hugo
>
>
>
> 2010/8/5 Tom Lane :
>> "Mark Steben" writes:
>>> I would like to set up a facility that enforces password changes for ro=
les
>>> After a predefined period (30 days for instance) when logging into psql
>>> Or, at the very least, send an email out to notify that your current
>>> Password period is about to expire.
>>
>> Usually we suggest using PAM when you want to do this, as there's all
>> sorts of spare parts out there already for PAM-managed passwords.
>>
>> (I concur with the response questioning whether forced password changes
>> are good policy, especially with an interval as short as that. =A0But if
>> you've got bullheaded management to deal with, PAM is the place to
>> look.)
>>
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0regards, tom lane
>>
>> --
>> Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
>> To make changes to your subscription:
>> http://www.postgresql.org/mailpref/pgsql-admin
>>
>
>
>
> --
> []=B4s
> Victor Hugo
>



--=20
[]=B4s
Victor Hugo

--=20
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: password administration

Mark,

Look into kerberos. You will have to recompile your server to use it.

Bob Lunney

--- On Thu, 8/5/10, Mark Steben wrote:

> From: Mark Steben
> Subject: [ADMIN] password administration
> To: pgsql-admin@postgresql.org
> Date: Thursday, August 5, 2010, 3:58 PM
>=20
>=20
> Hi postgres gurus:
>=20
> I would like to set up a facility that enforces password
> changes for roles
> After a predefined period (30 days for instance) when
> logging into psql
> Or, at the very least, send an email out to notify that
> your current=20
> Password period is about to expire.=A0 Preferably, I'd
> like to use
> The 'rolvaliduntil' column in pg_roles.
>=20
> I'm wondering if there is an app inside or outside of
> postgres
> that I can use or do I have to design from scratch.
>=20
> Thanks for your time,
>=20
>=20
> Mark Steben=A0|=A0Database Administrator=A0
> @utoRevenue=AE - "Keeping Customers Close"=A0
> 95D Ashley Ave, West Springfield, MA 01089=20
> 413.243.4800 x1512 (Phone) |413.732-1824 (Fax)=20
> @utoRevenue is a registered trademark and a division of
> Dominion
> Enterprises=A0
> =A0
>=20
>=20
>=20
>=20
> --=20
> Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
>=20




--=20
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: password administration

On 05.08.2010 22:54, Tom Lane wrote:
> Scott Marlowe writes:
>
>> On Thu, Aug 5, 2010 at 2:20 PM, Craig James wrote:
>>
>>> A better solution is to implement a password-strength algorithm and require
>>> people to select decent passwords to begin with.
>>>
>
>> Exactly. If you allow simpler passwords that have to be changed you
>> get things like:
>>
>
>> ilovemywife22 md5: b845aec254d018d118fe52c46ee8c98c
>>
>
>> changed to
>>
>
>> ilovemywife23 md5: 8c2b59e4d961478e3a9d5bd94979f329
>>
>
>> You can't tell how close they are by the md5. If you try to prevent
>> people from reusing similar passwords, then you have to store either
>> the previous passwords (bad security) or something like a soundex of
>> the previous password (also bad security.)
>>
> A place I know but won't name has a policy of storing your last five
> passwords (hopefully in md5'd form, but I don't actually know that) and
> not letting you reuse those. Of course this merely encourages people to
> use a cycle of six or so passwords, like something they can remember
> with one digit tagged on.
>
Hi!
Such a policy is in force in my country (Poland) but only if system
contains personal data. (government law)
8 or more characters - 2 capital letters, 2 digits
And... sometimes this is pain in the... but we don't have a choice.

TIP: you don't need 6 passwords - just 2 - with different one character ;-)

--
Andrzej Zawadzki

--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin