5.6 Ensure Password Complexity is configured

Information

Password complexity configuration is crucial to restrict unauthorized access to data. By default, PostgreSQL doesn't provide for password complexity. Moreover, many compliance frameworks such as PCI DSS, and HIPPA require both password complexity and length. It is worth stating that the NIST 800-63B Password Guidelines publication is a good reference of authentication management.

Rationale:

Having strong password management for your locally-authenticated PostgreSQL accounts will protect against attackers' brute force techniques. This is important especially if external authentication is not possible to implement due to application requirements or restrictions.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Next, we need to alter the postgresql.conf configuration file to enable passwordcheck as an extension in the shared_preload_libraries parameter and restart the PostgreSQL service:

$ vi ${PGDATA}/postgresql.conf

Find the shared_preload_libraries entry, and add 'passwordcheck' to it (preserving any existing entries):

shared_preload_libraries = '$libdir/passwordcheck'

OR

shared_preload_libraries = 'pgaudit,$libdir/passwordcheck,somethingelse'

Restart the PostgreSQL server for changes to take affect:

# whoami
root
# systemctl restart postgresql-16
# systemctl status postgresql-16|grep 'ago$'
Active: active (running) since [date] 10s ago

See Also

https://workbench.cisecurity.org/benchmarks/17003

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)

Plugin: PostgreSQLDB

Control ID: d66cc6746e8dc39e51e0655939781f766d5a32ad8e91adfd0ab02b02a243a9f2