| From: | Ron <ronljohnsonjr(at)gmail(dot)com> |
|---|---|
| To: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Query on User account password change details |
| Date: | 2021-05-07 14:14:21 |
| Message-ID: | 8ed70776-3c35-d688-4820-4c73cbdb767a@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On 5/7/21 9:10 AM, Bruce Momjian wrote:
> On Fri, May 7, 2021 at 08:55:15AM -0500, Ron wrote:
>> On 5/7/21 7:30 AM, Scott Ribe wrote:
>>>> On May 6, 2021, at 11:40 PM, Ron <ronljohnsonjr(at)gmail(dot)com> wrote:
>>>>
>>>> Comments like this are indicative of someone who's never been through an external audit.
>>> While maybe true, the point stands that even the original source of the requirement has admitted it's a bad idea, and standards bodies are dropping it. So, unlike many other things we might consider pointless, with this one, you have the kind of defense that might work in an audit.
>> The problem is that Postgresql allows Really Short Passwords without
>> uttering a peep, and that's not defensible to an auditor.
>>
>> psql (12.5 (Ubuntu 12.5-1.pgdg18.04+1))
>> Type "help" for help.
>>
>> postgres=# create role foo password 'a';
>> CREATE ROLE
>> postgres=#
> Have you considered passwordcheck?
>
> https://www.postgresql.org/docs/13/passwordcheck.html
This might satisfy my own audit requirements!
--
Angular momentum makes the world go 'round.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2021-05-07 14:41:05 | Re: Query on User account password change details |
| Previous Message | Bruce Momjian | 2021-05-07 14:10:05 | Re: Query on User account password change details |