| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>, Daulat <daulat(dot)dba(at)gmail(dot)com>, pgsql-admin <pgsql-admin(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Password complexities in Postgres v14.6 |
| Date: | 2022-12-16 16:17:29 |
| Message-ID: | 3682760.1671207449@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Magnus Hagander <magnus(at)hagander(dot)net> writes:
> On Fri, Dec 16, 2022 at 4:16 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> You can fairly easily enforce password age limits in PG using the
>> ALTER USER ... VALID UNTIL option.
> The part about requiring repeated password changes is considered actively
> harmful these days, so it's definitely obsolete. (Note that this is
> different from the postgres setting for VALID UNTIL which is not about the
> password being valid until, it's about the entire user being valid until
> the specified time).
No, VALID UNTIL only applies to the password; you can log in via
non-password-based auth mechanisms regardless of that.
(I agree that forced password rotations are also an obsolete security
practice, but figured that one bit of push-back at a time was enough.)
> And of course in either case a proper solution like using gssapi/kerberos
> is the better choice.
Yeah, migrating to something like that would be best practice.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Scott Ribe | 2022-12-16 16:25:57 | Re: Password complexities in Postgres v14.6 |
| Previous Message | Magnus Hagander | 2022-12-16 15:41:39 | Re: Password complexities in Postgres v14.6 |