On Mon, Dec 16, 2024 at 8:10 AM Greg Sabino Mullane <htamfids@xxxxxxxxx> wrote:
On Mon, Dec 16, 2024 at 5:32 AM 張宸瑋 <kenny020307@xxxxxxxxx> wrote:We have both regular accounts and system accounts. For regular accounts, we still require password complexity and the lockout functionality after multiple failed login attempts.Again, what is the threat model here?
I would not be surprised if the "threat model" is security auditors.
Most people have their password in a .pgpass file or similar, so it seems this only adds complexity and annoyance without any real benefit.
Mostly, people do not log into our PG instances. 99% of connections are from application service accounts via JDBC.
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!