Bruce Momjian <bruce@xxxxxxxxxx> writes: > On Fri, May 7, 2021 at 08:55:15AM -0500, Ron wrote: >> The problem is that Postgresql allows Really Short Passwords without >> uttering a peep, and that's not defensible to an auditor. > Have you considered passwordcheck? > https://www.postgresql.org/docs/13/passwordcheck.html BTW, this is a perfect example of why obsolete auditing rules actually are a net negative to security. The only way passwordcheck can enforce anything about the password's strength is if the server gets to see the cleartext password. In these days of SCRAM, requiring that is in itself bad practice: the cleartext password ought never leave the client's machine. regards, tom lane
