From: "Albe Laurenz" on
Mark Mielke wrote:
> Does Oracle really do password checks on the base SQL commands used to
> change an Oracle password? That sounds silly.

In Oracle you can write a stored procedure to check passwords;
it is invoked whenever a user is created or altered.

No matter how you change the password, Oracle can always recover
the plaintext and feed it to the password checking function.

So, unless you use the "Advanced Security" option (extra $$) that
enables you to encrypt network connections, any eavesdropper
with knowledge of Oracle's (secret) encryption algorithms can get
your new password when you change it.

And the DBA can get your password with ease.

Yours,
Laurenz Albe

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Mark Mielke on
On 10/15/2009 03:54 AM, Dave Page wrote:
> On Wed, Oct 14, 2009 at 11:21 PM, Mark Mielke<mark(a)mark.mielke.cc> wrote:
>
>> On 10/14/2009 05:33 PM, Dave Page wrote:
>>
>>> No. Any checks at the client are worthless, as they can be bypassed by
>>> 10 minutes worth of simple coding in any of a dozen or more languages.
>>>
>>>
>> Why care?
>>
> Because many large (and small for that matter) organisations also have
> security policies which mandate the enforcement of specific password
> policies. Just because you think it's worthless to try to prevent
> someone reusing a password, or using 'password' doesn't mean that
> everyone else does. Some organisations will use such a feature in a
> box-ticking exercise when evaluating, and others may actually decide
> to use the feature, and expect it to work effectively.
>
> Beside, we are not in the habit of putting half-arsed features in
> PostgreSQL. If we do something, we do it properly.
>

You miss my point (and conveniently cut it out). For users who
accidentally break policy vs users who purposefully circumvent policy -
the approaches must be different, and the risk management decision may
be different.

It's a lot easier to circumvent policy than most people (management
specifically) realize. If your attempt it to absolutely prevent a
determined competent individual from circumventing your policy - you
need to do a LOT MORE than what you are suggesting.

If you just want to prevent accidents - having the client software do
the checks is fine.

Cheers,
mark

--
Mark Mielke<mark(a)mielke.cc>


--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Mark Mielke on
On 10/15/2009 10:08 AM, Dave Page wrote:
> It's certainly true that there are other ways for users to compromise
> their passwords if they want. The fact remains though, that most other
> DBMSs (and all major operating systems I can think of) offer password
> policy features as non-client checks which are difficult, if not
> impossible for the user to bypass. Clearly other people think it's
> important to do this, and we are compared against their products on a
> daily basis, so if we want to compete with them on a level playing
> field we need at least a comparable feature set.
>

Not so clear to me. If they're doing strong checks, this means they're
sending passwords in the clear or only barely encoded, or using some
OTHER method than 'alter role ... password ...' to change the password.

Point being - if you think this is absolutely important to do - don't go
+5% of the way - go 100% of the way.

Then again, I'm not so concerned about what arbitrary criteria some
person defines as "what makes a good database system". I'm more
concerned with what makes the system better for *me*. I don't see how
this entire thread helps *me* in any way - and I do understand the need
for strong passwords - and my company *does* have policies that require
strong passwords. Even if the plugin is provided - I'm not going to
activate it. I already have a policy for setting strong passwords that I
already follow.

Cheers,
mark

--
Mark Mielke<mark(a)mielke.cc>


--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Mark Mielke on
On 10/15/2009 10:38 AM, Albe Laurenz wrote:
> Mark Mielke wrote:
>
>> Does Oracle really do password checks on the base SQL commands used to
>> change an Oracle password? That sounds silly.
>>
> In Oracle you can write a stored procedure to check passwords;
> it is invoked whenever a user is created or altered.
>
> No matter how you change the password, Oracle can always recover
> the plaintext and feed it to the password checking function.
>
> So, unless you use the "Advanced Security" option (extra $$) that
> enables you to encrypt network connections, any eavesdropper
> with knowledge of Oracle's (secret) encryption algorithms can get
> your new password when you change it.
>
> And the DBA can get your password with ease.

Now I remember. Our "secure password server" used as single-sign on for
most applications in the company, which normally avoids any applications
ever having to see or authenticate the login, needs to send the
passwords in plain or encoded form (not one-way encrypted) to a few
"broken" systems, which include systems designed around Oracle user
management, to allow people to login to these applications using their
corporate wide password. I remember thinking one word when I learned
this... "awesome" (sarcastic tone playing in head).

Where is the check box that says "prevents password recovery"?

For Dave Page: Understand that in a large company, as you are
discussing, with policies that require strong passwords, the usual
reason for requiring strong passwords is due to concerns over privilege
escalation. Access to one system gives you access to others. In the case
of single sign-on, which is a requirement for any business with dozens
or more applications, where it is unreasonable for each employee to
actually memorize dozens of distinct "strong" passwords, access to one
system gives you access to all systems. Therefore, "trust the DBA" makes
no sense. If the DBA can see my password, then they can login to my
employee records and check out what my salary or contact information is,
or they can login to one of the secure portals and authorize purchases
as me. A *good* system, is not trusted with the password.

This is why I say you are focusing on making PostgreSQL what you think
is a tiny bit better, but the gain is minor or artificial. If PostgreSQL
starts requiring strong passwords - the world is not necessarily a
better place in any mind except the person doing the ignorant checkbox
evaluation who believes advertising on face value.

If you need security - you should know enough to know you need something
better than per-application password strength checkers.

Cheers,
mark

--
Mark Mielke<mark(a)mielke.cc>


--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Dave Page on
On Thu, Oct 15, 2009 at 5:28 PM, Mark Mielke <mark(a)mark.mielke.cc> wrote:
>
> Not so clear to me. If they're doing strong checks, this means they're
> sending passwords in the clear or only barely encoded, or using some OTHER
> method than 'alter role ... password ...' to change the password.

Some are sending them in the clear (though often over SSL connections).

> Point being - if you think this is absolutely important to do - don't go +5%
> of the way - go 100% of the way.

Exactly - that's why I want to see a check in the server, not the
client which should get to 95%. I also happen to agree with Magnus
that the only really secure way to do this on outside of SQL, but I
can't see us dropping ALTER USER ... WITH PASSWORD in a hurry.

> Then again, I'm not so concerned about what arbitrary criteria some person
> defines as "what makes a good database system". I'm more concerned with what
> makes the system better for *me*. I don't see how this entire thread helps
> *me* in any way - and I do understand the need for strong passwords - and my
> company *does* have policies that require strong passwords. Even if the
> plugin is provided - I'm not going to activate it. I already have a policy
> for setting strong passwords that I already follow.

That's an excellent point. It probably doesn't make any difference to
you or many of the other people on this list who are concerned with
running their own systems and may already use other techniques, such
as LDAP, SSPI etc.

A not-insignificant percentage of the people here are not concerned
with running their own systems though. They are working to help new
users adopt PostgreSQL, and make a living selling services or support
to those users. Sometimes that can be for huge projects, where it is
necessary to justify every difference in check-box items against other
products to get past the early eval stages. Like it or not, that is a
fact, and this hampers our adoption.


--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers