Re: password administration

On Thu, Aug 5, 2010 at 2:27 PM, Scott Marlowe <scott.marlowe@gmail.com> wrote:
> On Thu, Aug 5, 2010 at 2:20 PM, Craig James <craig_james@emolecules.com> wrote:
>> On 8/5/10 12:58 PM, Mark Steben wrote:
>>>
>>> I would like to set up a facility that enforces password changes for roles
>>> After a predefined period (30 days for instance) when logging into psql
>>> Or, at the very least, send an email out to notify that your current
>>> Password period is about to expire.  Preferably, I'd like to use
>>> The 'rolvaliduntil' column in pg_roles.
>>>
>>> I'm wondering if there is an app inside or outside of postgres
>>> that I can use or do I have to design from scratch.
>>
>> This is an off-topic response, but security experts have said that this is a
>> REALLY bad idea.  It forces people to choose a new password, which means
>> they can't remember it.  So what do they do?  They write it down.  Anyone
>> snooping around their office can find it.
>>
>> Besides, when a password is stolen, it's usually used within minutes.
>>  Making everyone change every month does no good at all.
>>
>> A better solution is to implement a password-strength algorithm and require
>> people to select decent passwords to begin with.
>
> Exactly.  If you allow simpler passwords that have to be changed you
> get things like:
>
> ilovemywife22   md5: b845aec254d018d118fe52c46ee8c98c
>
> changed to
>
> ilovemywife23  md5: 8c2b59e4d961478e3a9d5bd94979f329
>
> You can't tell how close they are by the md5.  If you try to prevent
> people from reusing similar passwords, then you have to store either
> the previous passwords (bad security) or something like a soundex of
> the previous password (also bad security.)
>
> Better to have strong passwords and intrusion detection.

Also, if you do get strong passwords but then force people to change
them every 30 days, they wind up forgetting them.  Which leads to two
other unintended problems.  Either the admins get real used to
resetting passwords and get lazy about checking who they're resetting
passwords for and when, creating openings for social engineering
hacks, or people start writing down their complex passwords and
putting them under their keyboards etc.

If you require annual or bi-annual password changes you're far less
likely to have these issues pop up.

Take it to the extreme, how about requiring password changes every
hour, or 4 times a day?  How would you methods now change?  Something
similar to this is those key fobs that generate a new pseudo random
key every x seconds, and you have to put in a recent one to log in.
That is far more uesful for security than changing passwords often is.

Anyway, like Tom said, externalize it with PAM.