Master key regex-based complexity rules violate NIST guidelines

[davidfetter]

Describe the bug

As title

To Reproduce

Read the documents, which users will have to do every time they try to set a master key.

Version

All

PostgreSQL

All

libev

All

OpenSSL

All

Access method

All

OS

All

ulimit

Not needed.

Configuration

Can you provide the configuration pgagroal ?

• pgagroal.conf
• pgagroal_hba.conf
• pgagroal_databases.conf
• pgagroal_users.conf

Debug logs

Not needed

Tip

Use actual, as opposed to theatrical, security. According to NIST guidelines, you could suggest ways (pwgen, e.g.) to generate high-randomness strings and then have a check that goes to cracklib and/or database of pwned password hashes. "Complexity" patterns simply harass users, and are well known to cracklib and to similar tools.

[jesperpedersen]

Are you thinking additional checks or more documentation here ?

Or external tool integration ?

[jesperpedersen]

Maybe pgagroal-admin master-key --generate that only relies on internal algorithms for key generation..

[davidfetter]

Whatever's most convenient for you, but please not to harass users with security theater. In 2020, having password complexity regexes isn't just annoying. It's unprofessional.

[jesperpedersen]

The user doesn't really have to know the password as all the other files can be regenerated, but I think there needs to be a baseline of regexs.

[davidfetter]

No, it really, really does NOT need to have this superstitious nonsense. We've known for a very long time that these password rules have zero security benefit, and actually decrease security by harassing users into choosing weak passwords. That is extremely well established, and you need to stop perpetuating it.

[jesperpedersen]

I have added the --generate option, and relaxed the requirements. Master key still needs to be at least 8 characters.

Thanks !

[MichaelDBA]

Man this was interesting reading! Love the debate among exceptional minds.

[davidfetter]

Thanks!!!