Re: Enhancements to passwordcheck

2017-09-25 15:04 GMT-03:00 Bossart, Nathan <bossartn(at)amazon(dot)com>:
> Currently, the passwordcheck module provides a few basic checks to strengthen
> passwords. However, any configuration must be ready at compile time, and many
> common password requirements cannot be enforced without creating a custom
> version of this module. I think there are a number of useful parameters that
> could be added to enable common password restrictions, including the following
> list, which is based on some asks from our customers:
>
> passwordcheck.min_password_length
> passwordcheck.min_uppercase_letters
> passwordcheck.min_lowercase_letters
> passwordcheck.min_numbers
> passwordcheck.min_special_chars
>
+1.

> passwordcheck.superuser_can_bypass
>
It is not clear if it will bypass the checks for (i) a new superuser
or (ii) a superuser creating a new role. I wouldn't recommend using
such option even tough it is a common practice.

> passwordcheck.max_expiry_period
>
How would you enforce that? If the password expires, you can log in to
change the password. If you let him/her to get in and change the
password, you can't obligate the user to do that. You could send a
message to remember that the password will expire but you can't
enforce that (unless you make a change in the protocol).

> passwordcheck.force_new_password
>
Does it mean a password different from the old one? +1. It could be
different from the last 3 passwords but we don't store a password
history.

--
Euler Taveira Timbira -
http://www.timbira.com.br/
PostgreSQL: Consultoria, Desenvolvimento, Suporte 24x7 e Treinamento