From: | Michael Banck <michael(dot)banck(at)credativ(dot)de> |
---|---|
To: | Gavin Flower <GavinFlower(at)archidevsys(dot)co(dot)nz> |
Cc: | Postgres hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Record last password change |
Date: | 2018-12-11 11:43:23 |
Message-ID: | 1544528603.30106.5.camel@credativ.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi,
Am Dienstag, den 11.12.2018, 23:45 +1300 schrieb Gavin Flower:
> On 11/12/2018 23:33, Michael Banck wrote:
> > a customer recently mentioned that they'd like to be able to see when a
> > (md5, scram) role had their password last changed.
> >
> > Use-cases for this would be issueing an initial password and then later
> > making sure it got changed, or auditing that all passwords get changed
> > once a year. You can do that via external authentication methods like
> > ldap/gss-api/pam but in some setups those might not be available to the
> > DBAs.
> >
> > I guess it would amount to adding a column like rolpasswordchanged to
> > pg_authid and updating it when rolpassword changes, but maybe there is a
> > better way?
> >
> > The same was requested in https://dba.stackexchange.com/questions/91252/
> > how-to-know-when-postgresql-password-is-changed so I was wondering
> > whether this would be a welcome change/addition, or whether people think
> > it's not worth bothering to implement it?
>
> Forcing people to change their password on a regular basis is a bad
> idea, tends to make people choose easier to guess passwords. Do you
> regularly change the locks on your house?
This proposal is not about forcing password changes, so I am not sure
why you ask?
> My root password is 16 characters that was computer generated -- not
> worth memorising, if I had to regularly change it!
>
> Example password: q!5H!A:xa$3l%o.y Good luck trying to crack my system
> using it!
>
> If anyone is interested, I can publish the Java program I wrote to
> generate my passwords.
I see your point about security of strong passwords, but that seems
largely orthogonal to the desire to know when a password was last
changed.
Michael
--
Michael Banck
Projektleiter / Senior Berater
Tel.: +49 2166 9901-171
Fax: +49 2166 9901-100
Email: michael(dot)banck(at)credativ(dot)de
credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz
From | Date | Subject | |
---|---|---|---|
Next Message | Adrien NAYRAT | 2018-12-11 11:46:56 | Re: No such file or directory in pg_replslot |
Previous Message | Jose Luis Tallon | 2018-12-11 11:29:44 | Re: Thinking about EXPLAIN ALTER TABLE |