public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: raphi <[email protected]>
Cc: [email protected]
Subject: Re: password rules
Date: Mon, 23 Jun 2025 11:05:11 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
raphi <[email protected]> writes:
> We can set a password for a role in PG but there is no way to force a
> user to change it, prevent reuse or to enforce some complexity on it. As
> I understand, that's by choice and when I ask about this, the usual
> answer is "that's not the job of a database, use LDAP for it".
> ...
> Is there any chance PG will provide this natively or are there any
> technical limitations I am unaware of?
I think we have pretty much decided that that will never be part of
core Postgres. If you don't like using an extension for it, you're
out of luck. (The core developers have too much to do already, so
we are never going to be receptive to arguments like "I don't want
to use an extension". But in this case the space of possible
requirements is so large that it doesn't make sense to try to build
a one-size-fits-all in-core solution.)
Extension or not, there are serious objections to many aspects of
such a feature, namely that they can't be enforced without requiring
clients to send cleartext passwords to the server. That in itself
is a security problem. For that matter, the whole business of using
passwords rather than other ID technologies (SSL certificates,
Kerberos/GSS tickets, etc) is feeling pretty twentieth-century.
regards, tom lane
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: password rules
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox