Hi, Am Dienstag, den 11.12.2018, 23:45 +1300 schrieb Gavin Flower: > On 11/12/2018 23:33, Michael Banck wrote: > > a customer recently mentioned that they'd like to be able to see when a > > (md5, scram) role had their password last changed. > > > > Use-cases for this would be issueing an initial password and then later > > making sure it got changed, or auditing that all passwords get changed > > once a year. You can do that via external authentication methods like > > ldap/gss-api/pam but in some setups those might not be available to the > > DBAs. > > > > I guess it would amount to adding a column like rolpasswordchanged to > > pg_authid and updating it when rolpassword changes, but maybe there is a > > better way? > > > > The same was requested in https://dba.stackexchange.com/questions/91252/ > > how-to-know-when-postgresql-password-is-changed so I was wondering > > whether this would be a welcome change/addition, or whether people think > > it's not worth bothering to implement it? > > Forcing people to change their password on a regular basis is a bad > idea, tends to make people choose easier to guess passwords. Do you > regularly change the locks on your house?
This proposal is not about forcing password changes, so I am not sure why you ask? > My root password is 16 characters that was computer generated -- not > worth memorising, if I had to regularly change it! > > Example password: q!5H!A:xa$3l%o.y Good luck trying to crack my system > using it! > > If anyone is interested, I can publish the Java program I wrote to > generate my passwords. I see your point about security of strong passwords, but that seems largely orthogonal to the desire to know when a password was last changed. Michael -- Michael Banck Projektleiter / Senior Berater Tel.: +49 2166 9901-171 Fax: +49 2166 9901-100 Email: michael.ba...@credativ.de credativ GmbH, HRB Mönchengladbach 12080 USt-ID-Nummer: DE204566209 Trompeterallee 108, 41189 Mönchengladbach Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer Unser Umgang mit personenbezogenen Daten unterliegt folgenden Bestimmungen: https://www.credativ.de/datenschutz
