On Mon, Jun 24, 2024 at 8:00 PM o1bigtenor <o1bigte...@gmail.com> wrote:
> > > On Sun, Jun 23, 2024 at 10:10 AM Greg Sabino Mullane <htamf...@gmail.com> > wrote: > >> On Sun, Jun 23, 2024 at 5:30 AM Martin Goodson <kaema...@googlemail.com> >> wrote: >> >>> I believe that our security team is getting most of this from our >>> auditors, who seem convinced that minimal complexity, password history >>> etc are the way to go despite the fact that, as you say, server-side >>> password checks can't really be implemented when the database receives a >>> hash rather than a clear text password and password minimal complexity >>> etc is not perhaps considered the gold standard it once was. >>> >>> In fact, I think they see a hashed password as a disadvantage. >> >> >> Wow, full stop right there. This is a hill to die on. >> >> Push back and get some competent auditors. This should not be a DBAs >> problem. Your best bet is to use Kerberos, and throw the password >> requirements out of the database realm entirely. >> >> Also, the discussion should be about 2FA, not password history/complexity. >> >> > Hmmmmmmm - - - - 2FA - - - - what I've seen of it so far is that > authentication is most often done > using totally insecure tools (emailing some numbers or using SMS). Now if > you were espousing > the use of security dongles and such I would agree - - - - otherwise you > are promoting the veneering > of insecurity on insecurity with the hope that this helps. > > IMO having excellent passwords far trumps even 2FA - - - - 2FA is useful > when simple or quite > easily broken passwords are required. Now when you add the lack of SMS > possibilities (due to lack of signal) 2FA is an usually potent PITA because > of course SMS 'always' works (except it doesn't(!!!!!!!!!!!!!!!!)). > > (Can you tell that I've been bitten in the posterior repeatedly with this > garbage?) > For 2FA, a simple solution is to require a password plus clientcert=sameuser. This allows you to authorize devices/user accounts for specific remote database connections and provides that second factor -- i.e. something you have as well as something you know. > > > Regards > -- Best Wishes, Chris Travers Efficito: Hosted Accounting and ERP. Robust and Flexible. No vendor lock-in. http://www.efficito.com/learn_more
