On Mon, Dec 16, 2024 at 8:10 AM Greg Sabino Mullane <htamf...@gmail.com> wrote:
> On Mon, Dec 16, 2024 at 5:32 AM 張宸瑋 <kenny020...@gmail.com> wrote: > >> We have both regular accounts and system accounts. For regular accounts, >> we still require password complexity and the lockout functionality after >> multiple failed login attempts. >> > > Again, what is the threat model here? > I would not be surprised if the "threat model" is security auditors. > Most people have their password in a .pgpass file or similar, so it seems > this only adds complexity and annoyance without any real benefit. > Mostly, people *do not* log into our PG instances. 99% of connections are from application service accounts via JDBC. -- Death to <Redacted>, and butter sauce. Don't boil me, I'm still alive. <Redacted> lobster!
