Magnus Hagander <magnus@xxxxxxxxxxxx> writes: > On Fri, Dec 16, 2022 at 4:16 PM Tom Lane <tgl@xxxxxxxxxxxxx> wrote: > You can fairly easily enforce password age limits in PG using the >> ALTER USER ... VALID UNTIL option. > The part about requiring repeated password changes is considered actively > harmful these days, so it's definitely obsolete. (Note that this is > different from the postgres setting for VALID UNTIL which is not about the > password being valid until, it's about the entire user being valid until > the specified time). No, VALID UNTIL only applies to the password; you can log in via non-password-based auth mechanisms regardless of that. (I agree that forced password rotations are also an obsolete security practice, but figured that one bit of push-back at a time was enough.) > And of course in either case a proper solution like using gssapi/kerberos > is the better choice. Yeah, migrating to something like that would be best practice. regards, tom lane
