On 5/7/21 9:10 AM, Bruce Momjian wrote:
On Fri, May 7, 2021 at 08:55:15AM -0500, Ron wrote:
On 5/7/21 7:30 AM, Scott Ribe wrote:
On May 6, 2021, at 11:40 PM, Ron <ronljohnsonjr@xxxxxxxxx> wrote:
Comments like this are indicative of someone who's never been through an external audit.
While maybe true, the point stands that even the original source of the requirement has admitted it's a bad idea, and standards bodies are dropping it. So, unlike many other things we might consider pointless, with this one, you have the kind of defense that might work in an audit.
The problem is that Postgresql allows Really Short Passwords without
uttering a peep, and that's not defensible to an auditor.
psql (12.5 (Ubuntu 12.5-1.pgdg18.04+1))
Type "help" for help.
postgres=# create role foo password 'a';
CREATE ROLE
postgres=#
Have you considered passwordcheck?
https://www.postgresql.org/docs/13/passwordcheck.html
This might satisfy my own audit requirements!
--
Angular momentum makes the world go 'round.
