Bruce Momjian <bruce@momjian.us> writes:
> On Fri, May 7, 2021 at 08:55:15AM -0500, Ron wrote:
>> The problem is that Postgresql allows Really Short Passwords without
>> uttering a peep, and that's not defensible to an auditor.
> Have you considered passwordcheck?
> https://www.postgresql.org/docs/13/passwordcheck.html
BTW, this is a perfect example of why obsolete auditing rules actually
are a net negative to security. The only way passwordcheck can enforce
anything about the password's strength is if the server gets to see the
cleartext password. In these days of SCRAM, requiring that is in
itself bad practice: the cleartext password ought never leave the
client's machine.
regards, tom lane