On Sun, Jun 23, 2024 at 5:30 AM Martin Goodson <kaema...@googlemail.com> wrote:
> I believe that our security team is getting most of this from our > auditors, who seem convinced that minimal complexity, password history > etc are the way to go despite the fact that, as you say, server-side > password checks can't really be implemented when the database receives a > hash rather than a clear text password and password minimal complexity > etc is not perhaps considered the gold standard it once was. > > In fact, I think they see a hashed password as a disadvantage. Wow, full stop right there. This is a hill to die on. Push back and get some competent auditors. This should not be a DBAs problem. Your best bet is to use Kerberos, and throw the password requirements out of the database realm entirely. Also, the discussion should be about 2FA, not password history/complexity. Cheers, Greg