| From: | Ron Johnson <ronljohnsonjr(at)gmail(dot)com> |
|---|---|
| To: | Greg Sabino Mullane <htamfids(at)gmail(dot)com> |
| Cc: | 張宸瑋 <kenny020307(at)gmail(dot)com>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Credcheck- credcheck.max_auth_failure |
| Date: | 2024-12-16 14:13:16 |
| Message-ID: | CANzqJaB1mFKUP=_kFqg2CtSN6QSMkgsMTvYtQnoGJ7cLAhhjyQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Mon, Dec 16, 2024 at 8:10 AM Greg Sabino Mullane <htamfids(at)gmail(dot)com>
wrote:
> On Mon, Dec 16, 2024 at 5:32 AM 張宸瑋 <kenny020307(at)gmail(dot)com> wrote:
>
>> We have both regular accounts and system accounts. For regular accounts,
>> we still require password complexity and the lockout functionality after
>> multiple failed login attempts.
>>
>
> Again, what is the threat model here?
>
I would not be surprised if the "threat model" is security auditors.
> Most people have their password in a .pgpass file or similar, so it seems
> this only adds complexity and annoyance without any real benefit.
>
Mostly, people *do not* log into our PG instances. 99% of connections are
from application service accounts via JDBC.
--
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ron Johnson | 2024-12-16 14:17:25 | Re: Credcheck- credcheck.max_auth_failure |
| Previous Message | Greg Sabino Mullane | 2024-12-16 13:09:45 | Re: Credcheck- credcheck.max_auth_failure |