Re: Password policy

On Tue, 15 Jan 2008 16:11:16 -0600
"Roberts, Jon" <Jon.Roberts@asurion.com> wrote:
> I need to set a basic password policy for accounts but I don't see any
> documentation on how to do it.  I'm assuming there is a way to do this,
> maybe even with a trigger.
> 
> The policy would be something like this:
> 1.  Must contain letters and numbers
> 2.  Must be at least 8 characters long
> 3.  Must contain one special character (#,@,$,%,!, etc)
> 4.  Password (not the account) must expire after 90 days
> 5.  Must warn users 10 days before the expire to change the password

Look at my chkpass type in contrib.  There is a function to verify the
password.  It is just a placeholder now but you can modify it to do all
your checking.

Policies 4 & 5 may require further work either in the chkpass type or
with a separate field.  Details are hard to suggest as I can think of
three or four methods right away but it all depends on more detailed
requirements to determine the best one.

Non-database related suggestion:  Reconsider 4 & 5 anyway.  Forcing
people to change their passwords all the time is less secure, not
more.  In those situations you tend to find a lot more passwords on
post-it notes and in clear text files.

-- 
D'Arcy J.M. Cain <darcy@druid.net>         |  Democracy is three wolves
http://www.druid.net/darcy/                |  and a sheep voting on
+1 416 425 1212     (DoD#0082)    (eNTP)   |  what's for dinner.