| From: | "Peter J(dot) Holzer" <hjp-pgsql(at)hjp(dot)at> |
|---|---|
| To: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Credcheck- credcheck.max_auth_failure |
| Date: | 2024-12-16 11:34:31 |
| Message-ID: | 20241216113431.v5rnxexalfj6eorv@hjp.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 2024-12-16 18:32:34 +0800, 張宸瑋 wrote:
> We have both regular accounts and system accounts. For regular accounts, we
> still require password complexity and the lockout functionality after multiple
> failed login attempts. However, for system accounts, due to information
> security regulations, password complexity is also required. The issue is that
> system accounts are used for system integration, and if the account gets
> locked, it may affect system services, which could lead to problems. To prevent
> this, we would like to exclude system accounts from being affected by the
> credcheck.max_auth_failure parameter.
Just in case it wasn't clear: My recommendation is to NOT use the
credcheck.max_auth_failure parameter for ANY account. It just causes
problems and doesn't really help. If you can't trust your users to
chooses sufficiently strong passwords, use a second factor. Or maybe
replace passwords with some other method (public keys, FIDO, ...)
altogether (in fact, I'd do that for system accounts).
hp
--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | hjp(at)hjp(dot)at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Sabino Mullane | 2024-12-16 13:09:45 | Re: Credcheck- credcheck.max_auth_failure |
| Previous Message | 張宸瑋 | 2024-12-16 10:32:34 | Re: Credcheck- credcheck.max_auth_failure |