Setting Password Security Policies

Procedure

User passwords are stored in the system catalog pg_authid. To prevent password leakage, GaussDB encrypts user passwords before storing them. The encryption algorithm is determined by the configuration parameter password_encryption_type.

If the password_encryption_type parameter is set to 0, passwords are encrypted using MD5. The MD5 encryption algorithm is not recommended because it has lower security and poses security risks.
If the password_encryption_type parameter is set to 1, passwords are encrypted using SHA-256 and MD5. The MD5 encryption algorithm is not recommended because it has lower security and poses security risks.
If parameter password_encryption_type is set to 2, passwords are encrypted using SHA-256. This is the default configuration.
If parameter password_encryption_type is set to 3, passwords are encrypted using SM3.

Connect to a database. For details, see Connecting to a Database.

View the configured encryption algorithm.

      
           openGauss=# SHOW password_encryption_type;
 password_encryption_type
--------------------------
 2
(1 row)

Configure password security parameters.

Password complexity
You need to specify a password when initializing a database, creating a user, or modifying a user. The password must meet the complexity check rules (see password_policy). Otherwise, you are prompted to enter the password again.
- If parameter password_policy is set to 1, the default password complexity rule is used to check passwords.
- If password_policy is set to 0, the password complexity rule is not used. However, the password cannot be empty and must contain only valid characters, including uppercase letters (A–Z), lowercase letters (a–z), digits (0–9), and special characters (see Table 1). You are not advised to set this parameter to 0 because this operation poses security risks. If the setting is required, you must set password_policy to 0 on all cluster nodes.
Configure the password_policy parameter.
The password complexity and length requirements are as follows:
- Minimum number of uppercase letters (A-Z) (password_min_uppercase)
- Minimum number of lowercase letters (a-z) (password_min_lowercase)
- Minimum number of digits (0-9) (password_min_digital)
- Minimum number of special characters (password_min_special) (Table 1 lists special characters.)
- Minimum length of a password (password_min_length)
- Maximum length of a password (password_max_length)
  
  For details, see "GUC Parameters" in Developer Guide.
- A password must contain at least three types of the characters (uppercase letters, lowercase letters, digits, and special characters).
- A password is case insensitive and cannot be the username or the username spelled backwards.
- A new password cannot be the current password and the current password spelled backwards.
- It must be a strong password.
  - Weak passwords are weak passwords that are easy to crack. The definition of weak passwords may vary with users or user groups. Users can define their own weak passwords.
  - Passwords in the weak password dictionary are stored in the gs_global_config system catalog. When a user is created or modified, the password set by the user is compared with the password stored in the weak password dictionary. If the password is matched, a message is displayed, indicating that the password is weak and the password fails to be set.
  - The weak password dictionary is empty by default. You can add or delete weak passwords using the following syntax:
    CREATE WEAK PASSWORD DICTIONARY WITH VALUES ('password1'), ('password2');
    
    DROP WEAK PASSWORD DICTIONARY;
Password reuse
An old password can be reused only when it meets the requirements on reuse days (password_reuse_time) and reuse times (password_reuse_max). Table 2 lists the parameter configurations.

The default values of the password_reuse_time and password_reuse_max parameters are 0, respectively. Large values of the two parameters bring higher security. However, if the values of the parameters are set too large, inconvenience may occur. The default values of the two parameters meet the security requirements. You can change the parameter values as needed for higher security.

Configure the password_reuse_time parameter.

Configure the password_reuse_max parameter.
Password validity period
A validity period (password_effect_time) is set for each database user password. If the password is about to expire (password_notify_time), the system displays a message to remind the user to change it upon login.

Considering the usage and service continuity of a database, the database still allows a user to log in after the password expires. A password change notification is displayed every time the user logs in to the database until the password is changed.

Configure the password_effect_time parameter.

Configure the password_notify_time parameter.

Password change

During database installation, an OS user with the same name as the initial user is created. The password of the OS user needs to be periodically changed for account security.
To change the password of user user1, run the following command:
```
passwd user1
```
Change the password as prompted.

System administrators and common users need to periodically change their passwords to prevent the accounts from being stolen.

For example, to change the password of user user1, connect to the database as the system administrator and run the following commands:

          
               openGauss=# ALTER USER user1 IDENTIFIED BY "1234@abc" REPLACE "5678@def";
ALTER ROLE

1234@abc and 5678@def represent the new password and the original password of user user1, respectively. If the new password does not have the required complexity, the change will not take effect.

Administrators can change their own and common users' passwords. If common users forget their passwords, they can ask administrators to change the passwords.

To change the password of user joe, run the following command:

          
               openGauss=# ALTER USER joe IDENTIFIED BY "abc@1234";
ALTER ROLE

System administrators are not allowed to change passwords for each other.
A system administrator can change the password of a common user without being required to provide the common user's old password.
A system administrator can change their own password but is required to provide the old password.

Password verification

Password verification is required when you set the user or role in the current session. If the entered password is inconsistent with the stored password of the user, an error is reported.

If user joe needs to be set, run the following command:

        
             openGauss=# SET ROLE joe PASSWORD "abc@1234";
ERROR:  Invalid username/password,set role denied.

**Table 1** Special characters
No.	Character	No.	Character	No.	Character	No.	Character
1	~	9	*	17	\|	25	<
2	!	10	(	18	[	26	.
3	@	11	)	19	{	27	>
4	#	12	N/A	20	}	28	/
5	$	13	_	21	]	29	?
6	%	14	=	22	;	N/A	N/A
7	^	15	+	23	:	N/A	N/A
8	&	16	\	24	,	N/A	N/A

**Table 2** Parameter description for reuse days and reuse times
Parameter	Value Range	Description
Number of days during which a password cannot be reused (password_reuse_time)	Positive number or 0. The integral part of a positive number indicates the number of days and its decimal part can be converted into hours, minutes, and seconds. The default value is 0.	If the parameter value is changed to a smaller one, new password will be checked based on the new parameter value. If the parameter value is changed to a larger one (for example, changed from a to b), the historical passwords before b days probably can be reused because these historical passwords may have been deleted. New passwords will be checked based on the new parameter value. NOTE: The absolute time is used. Historical passwords are recorded using absolute time and unaffected by local time changes.
Number of consecutive times that a password cannot be reused (password_reuse_max)	Positive integer or 0. The value 0 indicates that the number of consecutive times that a password cannot be reused is not checked.	If the parameter value is changed to a smaller one, new password will be checked based on the new parameter value. If the parameter value is changed to a larger one (for example, changed from a to b), the historical passwords before the last b passwords probably can be reused because these historical passwords may have been deleted. New passwords will be checked based on the new parameter value.

Set user password expiration.

When creating a user, a user with the CREATEROLE permission can force the user password to expire. After logging in to the database for the first time, a new user can perform query operations only after changing the password. The command format is as follows:

      
           openGauss=# CREATE USER joe PASSWORD "abc@1234" EXPIRED;
CREATE ROLE

A user with the CREATEROLE permission can force a user password to expire or force a user to change the forcibly expired password. The command format is as follows:

      
           openGauss=# ALTER USER joe PASSWORD EXPIRED;
ALTER ROLE

      
           openGauss=# ALTER USER joe PASSWORD "abc@2345" EXPIRED;
ALTER ROLE

After a user whose password is invalid logs in to the database, the system prompts the user to change the password when the user performs a simple or extended query. The user can then execute the statement after changing the password.
Only initial users, system administrators (sysadmin), and users who have the permission to create users (CREATEROLE) can invalidate user passwords. System administrators can invalidate their own passwords or the passwords of other system administrators. The password of initial users cannot be invalidated.

Parent topic: Setting Security Policies

Previous topic: Setting the Validity Period of an Account

Next topic: Configuring Database Audit