| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Ron <ronljohnsonjr(at)gmail(dot)com> |
| Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Query on User account password change details |
| Date: | 2021-05-07 14:10:05 |
| Message-ID: | 20210507141005.GB10431@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Fri, May 7, 2021 at 08:55:15AM -0500, Ron wrote:
> On 5/7/21 7:30 AM, Scott Ribe wrote:
> > > On May 6, 2021, at 11:40 PM, Ron <ronljohnsonjr(at)gmail(dot)com> wrote:
> > >
> > > Comments like this are indicative of someone who's never been through an external audit.
> > While maybe true, the point stands that even the original source of the requirement has admitted it's a bad idea, and standards bodies are dropping it. So, unlike many other things we might consider pointless, with this one, you have the kind of defense that might work in an audit.
>
> The problem is that Postgresql allows Really Short Passwords without
> uttering a peep, and that's not defensible to an auditor.
>
> psql (12.5 (Ubuntu 12.5-1.pgdg18.04+1))
> Type "help" for help.
>
> postgres=# create role foo password 'a';
> CREATE ROLE
> postgres=#
Have you considered passwordcheck?
https://www.postgresql.org/docs/13/passwordcheck.html
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
If only the physical world exists, free will is an illusion.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ron | 2021-05-07 14:14:21 | Re: Query on User account password change details |
| Previous Message | Scott Ribe | 2021-05-07 13:59:27 | Re: Query on User account password change details |