Re: Rejecting weak passwords - Mailing list pgsql-hackers
| From | Mark Mielke |
|---|---|
| Subject | Re: Rejecting weak passwords |
| Date | |
| Msg-id | 4AD74FF6.4010005@mark.mielke.cc Whole thread Raw |
| In response to | Re: Rejecting weak passwords ("Albe Laurenz" <laurenz.albe@wien.gv.at>) |
| List | pgsql-hackers |
On 10/15/2009 10:38 AM, Albe Laurenz wrote: > Mark Mielke wrote: > >> Does Oracle really do password checks on the base SQL commands used to >> change an Oracle password? That sounds silly. >> > In Oracle you can write a stored procedure to check passwords; > it is invoked whenever a user is created or altered. > > No matter how you change the password, Oracle can always recover > the plaintext and feed it to the password checking function. > > So, unless you use the "Advanced Security" option (extra $$) that > enables you to encrypt network connections, any eavesdropper > with knowledge of Oracle's (secret) encryption algorithms can get > your new password when you change it. > > And the DBA can get your password with ease. Now I remember. Our "secure password server" used as single-sign on for most applications in the company, which normally avoids any applications ever having to see or authenticate the login, needs to send the passwords in plain or encoded form (not one-way encrypted) to a few "broken" systems, which include systems designed around Oracle user management, to allow people to login to these applications using their corporate wide password. I remember thinking one word when I learned this... "awesome" (sarcastic tone playing in head). Where is the check box that says "prevents password recovery"? For Dave Page: Understand that in a large company, as you are discussing, with policies that require strong passwords, the usual reason for requiring strong passwords is due to concerns over privilege escalation. Access to one system gives you access to others. In the case of single sign-on, which is a requirement for any business with dozens or more applications, where it is unreasonable for each employee to actually memorize dozens of distinct "strong" passwords, access to one system gives you access to all systems. Therefore, "trust the DBA" makes no sense. If the DBA can see my password, then they can login to my employee records and check out what my salary or contact information is, or they can login to one of the secure portals and authorize purchases as me. A *good* system, is not trusted with the password. This is why I say you are focusing on making PostgreSQL what you think is a tiny bit better, but the gain is minor or artificial. If PostgreSQL starts requiring strong passwords - the world is not necessarily a better place in any mind except the person doing the ignorant checkbox evaluation who believes advertising on face value. If you need security - you should know enough to know you need something better than per-application password strength checkers. Cheers, mark -- Mark Mielke<mark@mielke.cc>
pgsql-hackers by date: