Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Master key regex-based complexity rules violate NIST guidelines #109

Closed
davidfetter opened this issue Sep 24, 2020 · 8 comments
Closed

Master key regex-based complexity rules violate NIST guidelines #109

davidfetter opened this issue Sep 24, 2020 · 8 comments
Assignees
@jesperpedersen
Labels
enhancement Improvement to an existing feature

Comments

@davidfetter
Copy link
Contributor

Describe the bug

As title

To Reproduce

Read the documents, which users will have to do every time they try to set a master key.

Version

All

PostgreSQL

All

libev

All

OpenSSL

All

Access method

All

OS

All

ulimit

Not needed.

Configuration

Can you provide the configuration pgagroal ?

  • pgagroal.conf
  • pgagroal_hba.conf
  • pgagroal_databases.conf
  • pgagroal_users.conf

Debug logs

Not needed

Tip

Use actual, as opposed to theatrical, security. According to NIST guidelines, you could suggest ways (pwgen, e.g.) to generate high-randomness strings and then have a check that goes to cracklib and/or database of pwned password hashes. "Complexity" patterns simply harass users, and are well known to cracklib and to similar tools.
@davidfetter davidfetter added the bug Something isn't working label Sep 24, 2020
@jesperpedersen
Copy link
Collaborator

Are you thinking additional checks or more documentation here ?

Or external tool integration ?

@jesperpedersen
Copy link
Collaborator

Maybe pgagroal-admin master-key --generate that only relies on internal algorithms for key generation..

@davidfetter
Copy link
Contributor Author

Whatever's most convenient for you, but please not to harass users with security theater. In 2020, having password complexity regexes isn't just annoying. It's unprofessional.

@jesperpedersen
Copy link
Collaborator

The user doesn't really have to know the password as all the other files can be regenerated, but I think there needs to be a baseline of regexs.

@davidfetter
Copy link
Contributor Author

No, it really, really does NOT need to have this superstitious nonsense. We've known for a very long time that these password rules have zero security benefit, and actually decrease security by harassing users into choosing weak passwords. That is extremely well established, and you need to stop perpetuating it.

jesperpedersen added a commit that referenced this issue Sep 25, 2020
@jesperpedersen
[#109] Add a generate option for master-key, and relax requirements
fb52eba
@jesperpedersen jesperpedersen self-assigned this Sep 25, 2020
@jesperpedersen jesperpedersen added enhancement Improvement to an existing feature and removed bug Something isn't working labels Sep 25, 2020
@jesperpedersen
Copy link
Collaborator

I have added the --generate option, and relaxed the requirements. Master key still needs to be at least 8 characters.

Thanks !

@MichaelDBA
Copy link

Man this was interesting reading! Love the debate among exceptional minds.

@davidfetter
Copy link
Contributor Author

Thanks!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jesperpedersen jesperpedersen

Labels
enhancement Improvement to an existing feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidfetter @jesperpedersen @MichaelDBA