Re: password rules

Am 25.06.2025 um 01:20 schrieb Greg Sabino Mullane:
> On Mon, Jun 23, 2025 at 2:45 PM raphi <raphi@crashdump.ch> wrote:
>
>     As of now though we cannot use PG for any PCI/DSS certified
>     application
>     because we can't enforce either complexity nor regular password
>     changes,
>
>
> You can, and many, many companies do, but you need a modern auth 
> system like Kerberos. Even if we were to put something into Postgres 
> today (and given the MFA and re-use requirements, it's near 
> impossible), PCI DSS keeps evolving and getting stricter, so keeping 
> up with it would get harder with each release.
>
>     Can I do something to help bringing these feature into PG? My C
>     knowledge is very limited so I won't be able to provide a patch
>     but I'd be more than happy to test it.
>
>
> Your energy would be much better used in bringing Kerberos into your 
> organization. :)
>
Well as said, we have LDAP and IAM widely in use for everything except 
database access. It's the IAM part that's making it difficult for us to 
implement it for PG application/user roles, this wouldn't change by 
using Kerberos instead of LDAP. I thought we'll get the exception from 
our security to use IAM roles instead of physical persons defined as the 
owner of the PG accounts but now they are against it. Main reason is 
because they are looking into a completely different solution with 
Vault, which would fix some other issues and make it more robust towards 
PCI, and they prefer a solution for everything rather than making 
another exception. But we are speaking about years here, 2027 earliest 
and they haven't even talked to us yet how this would work with PG, only 
other DB products.

have fun,
raphi