On 11/12/2018 23:33, Michael Banck wrote:
Hello,
a customer recently mentioned that they'd like to be able to see when a
(md5, scram) role had their password last changed.
Use-cases for this would be issueing an initial password and then later
making sure it got changed, or auditing that all passwords get changed
once a year. You can do that via external authentication methods like
ldap/gss-api/pam but in some setups those might not be available to the
DBAs.
I guess it would amount to adding a column like rolpasswordchanged to
pg_authid and updating it when rolpassword changes, but maybe there is a
better way?
The same was requested in https://dba.stackexchange.com/questions/91252/
how-to-know-when-postgresql-password-is-changed so I was wondering
whether this would be a welcome change/addition, or whether people think
it's not worth bothering to implement it?
Thoughts?
Michael
Forcing people to change their password on a regular basis is a bad
idea, tends to make people choose easier to guess passwords. Do you
regularly change the locks on your house?
My root password is 16 characters that was computer generated -- not
worth memorising, if I had to regularly change it!
Example password: q!5H!A:xa$3l%o.y Good luck trying to crack my system
using it!
If anyone is interested, I can publish the Java program I wrote to
generate my passwords.
Cheers,
Gavin
