On 5/7/21 9:10 AM, Bruce Momjian wrote:
> On Fri, May 7, 2021 at 08:55:15AM -0500, Ron wrote:
>> On 5/7/21 7:30 AM, Scott Ribe wrote:
>>>> On May 6, 2021, at 11:40 PM, Ron <ronljohnsonjr@gmail.com> wrote:
>>>>
>>>> Comments like this are indicative of someone who's never been through an external audit.
>>> While maybe true, the point stands that even the original source of the requirement has admitted it's a bad idea,
andstandards bodies are dropping it. So, unlike many other things we might consider pointless, with this one, you have
thekind of defense that might work in an audit.
>> The problem is that Postgresql allows Really Short Passwords without
>> uttering a peep, and that's not defensible to an auditor.
>>
>> psql (12.5 (Ubuntu 12.5-1.pgdg18.04+1))
>> Type "help" for help.
>>
>> postgres=# create role foo password 'a';
>> CREATE ROLE
>> postgres=#
> Have you considered passwordcheck?
>
> https://www.postgresql.org/docs/13/passwordcheck.html
This might satisfy my own audit requirements!
--
Angular momentum makes the world go 'round.