Password history and reuse

A database user can change an account password by issuing the ALTER PASSWORD SQL command. By default, the system does not ensure that a new account password is different from any previous passwords for that account. However, the system keeps an encrypted history of all passwords for each account. If you have security policies that specify when a password can be reused, you can configure the system to enforce that policy.

To do this:

  1. Log in to the system as the nz user.
  2. Open the /nz/data/postgresql.conf file in any text editor.
  3. Search for a entry similar to password_history=n in the file.
    • If the file already contains such an entry, ensure that the entry is not commented out (that is, that # is not the first character in the line) and that the specified value is a positive integer.
    • If the file does not already contain such an entry, create one. The value n must be greater than or equal to 0.
    The specified integer determines the number of the most recent passwords that cannot be reused.
    Note: Be careful not to change other entries, because doing so can have a negative impact on database operation.
  4. Save and exit the postgresql.conf file.
  5. Issue the nzstop command to stop the system.
  6. Issue the nzstart command to restart the system. This usually requires several minutes to complete.

After the system restarts and is online, any request to change an account password will be checked to ensure that the new password has not recently been used for that account.