Passwords should not be reused for X number of cycles

[umairshahid]

This comes in from an interview with a customer, they need support for restricting a password not to be reused for X number of cycles as part of regulatory compliance.

[Gabi201265]

Hello,

I was wondering if the question was still relevant. Indeed, I was asked to have a password historization. Can you help me please?

[darold]

Interesting, I will look to add this feature to credcheck.

[darold]

Commit 42cf2cc adds this feature. Please let us know if that correspond to your needs.

[Gabi201265]

Hello,

I'm looking at the code you made and I have one question about it. Where is the credcheck schema created? In which database?

[darold]

Hi @Gabi201265, the credcheck schema and the history table is created in the database where the extension is created. Users are global objects and can connect to other databases so we need to find a way to have a global history table.

[Gabi201265]

Hi @darold,

Thank u for ur answer. However, I have a second question. Indeed, after modifying the shared preload library and restarting the database, if I don't do a create extension, I can still modify the parameters by doing a set. Where are these parameters stored? Why can't I find them in the database ? When I quit the sql and come back to it, the default settings are restored. Do I have to do an alter system?

The credcheck.password_reuse_history works ! Thank you very much !

[gilles-migops]

This is custom parameters so they can be used/set even if the extension is not installed but they are just useless. For example, you can defined any custom parameter like SET foo.bar TO 12; even if there is no foo extension.

You might want to set the credcheck parameters in the configuration file.

Please do not use the password reuse policy in production for the moment, this is just a POC to validate the feature. I still have to work on using some kind of global catalog table to be able to apply the policies on any database without having to create the extension but just used the shared_preload_library.

[Gabi201265]

Okay, that's what I thought, thanks a lot!

Yes I was already planning to deploy it in development while waiting for a stable version.

Thanks again, I stay tuned

[Gabi201265]

Hi @darold ,

I would like to know if the passwords historization feature was operational without the activation of the extension but only by configuring it in the conf file. If you didn't have the time to work on it I would like to know how I can help you to fix it.

Have a greatfull day, Gabriel

[darold]

Hi Gabriel,

Yes, at end this feature will be enabled through the configuration file and not at user session like know. In this POC it is activated/disabled at session time just for test purpose. The credcheck library will need to be loaded in shared_preload_library.

For the moment I giving a 2 weeks PostgreSQL training so I have no time to work on this, but I have planned to work on this at end of the month but if you want to implement it just let me know.

[Gabi201265]

Hello @darold,

Thank u for ur answer.

I'll taake some holidays this month so I'll not be able to work on it a lot. I think that it's better if I wait for u : ).

[darold]

@Gabi201265 the last commits move password history feature to shared memory. See README.md file and ls test/sql/0[56]* files for usage.

Please give it a try and let us know if that corresponds to your needs.

[darold]

Release v1.0 have been published including this feature.