Greetings, * Michael Banck (michael.ba...@credativ.de) wrote: > a customer recently mentioned that they'd like to be able to see when a > (md5, scram) role had their password last changed.
There is an awful lot here that we really should be doing. For a long time, that felt prettty stalled because of the md5 mechanism being used, but now that we've got SCRAM, there's a number of things we should be doing: - Password aging (which requires knowing when it was last changed) - Password complexity - Disallow repeated use of the same password - Requiring password change on first/next connection - User/Password profiles more... > Use-cases for this would be issueing an initial password and then later > making sure it got changed, or auditing that all passwords get changed > once a year. You can do that via external authentication methods like > ldap/gss-api/pam but in some setups those might not be available to the > DBAs. Agreed. > I guess it would amount to adding a column like rolpasswordchanged to > pg_authid and updating it when rolpassword changes, but maybe there is a > better way? That could be a start, but I do expect that we'll grow at least one other table eventually to support user profiles. > The same was requested in https://dba.stackexchange.com/questions/91252/ > how-to-know-when-postgresql-password-is-changed so I was wondering > whether this would be a welcome change/addition, or whether people think > it's not worth bothering to implement it? Definitely a +1 from me, but I'd like us to be thinking about the other things we should be doing in this area to bring our password-based authentication mechanism kicking-and-screaming into the current decade. Thanks! Stephen
signature.asc
Description: PGP signature
