Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uUCwu-00HHUt-4y
	for pgsql-general@arkaria.postgresql.org; Tue, 24 Jun 2025 23:21:08 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uUCws-00Fopq-8R
	for pgsql-general@arkaria.postgresql.org; Tue, 24 Jun 2025 23:21:06 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <htamfids@gmail.com>)
	id 1uUCwr-00Fopi-UQ
	for pgsql-general@lists.postgresql.org; Tue, 24 Jun 2025 23:21:06 +0000
Received: from mail-io1-xd2b.google.com ([2607:f8b0:4864:20::d2b])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <htamfids@gmail.com>)
	id 1uUCwo-003uo6-0m
	for pgsql-general@lists.postgresql.org;
	Tue, 24 Jun 2025 23:21:06 +0000
Received: by mail-io1-xd2b.google.com with SMTP id ca18e2360f4ac-86cf3dd8c97so538082239f.2
        for <pgsql-general@lists.postgresql.org>; Tue, 24 Jun 2025 16:21:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1750807260; x=1751412060; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=CyR3f8H5m1iwMA3COJ0/VqtTQoO4nbK1M+hSaGXXwJ0=;
        b=LIU2TW7k4oUwF6FbaNWtiK7AZ5wTLl5b+WeOH6OC9Zwo2AhJ4rZ0bd7B5a3B3NjsS5
         wrzP8B/RHe5uf4qXFsCywetdtnu4qcK1YhIaNjei6+EtEloBOLNrKq2wfSOaZ8Shdf7c
         viOD909+oAWNraTqvcWPnE9vtHeZNZ93eN8PxMm4EiqwNPdwegAMl3uHNG3Ce2GmU715
         plV34raNm6vpxmt8Ycmd+kim+Bb/5w7M63NIy7UV5W5mXCHdvH22haIqxlxnehyoDUTA
         inJI3kq3W8dkScEmoxi3UyUSSNSb6uPXGkAu+nF4MFxMXzKjphToBr52TduQjjyiQhaT
         rdng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1750807260; x=1751412060;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=CyR3f8H5m1iwMA3COJ0/VqtTQoO4nbK1M+hSaGXXwJ0=;
        b=skqsdMYuD0x6lLe7A4ddxoreE20V6hthDLC/YYc4trzUrAx8gHjMMxzqIRc2hD9Q2u
         5Ki9Ix5dxSuyeKq3lwrEqrYbaJRzQeemNhF8TdLEJ5PWr+gV0OHYoFXHfXjRglZQS4pF
         tN2+3GVhy15GE+D2iKDfCvo/vgDSI0uqEbcXRg0X4ypAGdr+Qa+4NFEpyEClL1iZ5hbg
         ydkV7iYSuvg1jPA54KFZs/1coeZD734VRYMSTdPFjURHhQUfneA902jrdNF3LyFv0puG
         FppqkvYzXnSVxbGMfyf8iPTNwJGpYYdc1oR0oJTEeooSnFIOgDzleCkXwM1j3YjRIkfr
         nyMw==
X-Forwarded-Encrypted: i=1; AJvYcCUlJb/NfqRtSsWwKXqHdITjdWsEM5NG3ppvz/dbSRSFU7wBRmo/zisbYiYDaRLUHPhcSex6k4kp3GYlK9yz@lists.postgresql.org
X-Gm-Message-State: AOJu0Yy2NjfbE2t46wU8fI0gjL9ELx+b7XGrjMXBdq1wPRVORNZFjZ2x
	0y8jB0O+957jD4JkVf0iCJoMujXd37QU27trtRchfvXeFL/RQA1UHLBndgd9DjBkqUCl6LBS/ow
	JjEN8pwBPxXZbxLyjg1H78WfdBj97wAtObZNRyT4=
X-Gm-Gg: ASbGncu7q75doHPxEMs8S5A0GaYAuWCIcL4Tny24FjzeZ3P9RUwKKEN6TlUJSHGROoP
	A8jWPDJp97InG7JEEkExO1nnje9KGdmF04kjIIKBDL2Q6NAkvjvvkePgQIdr3mfOmUXuu0wWs+i
	KwnGZn5MTYTOOPJozN+o7LEho5lx4PQOfq3KDINsnV6CzbPIDIMydPgzEIkqSYyL4PwdkjhRkP+
	U5fAg==
X-Google-Smtp-Source: AGHT+IHJ8SFqbvUq8HiWWtGkb4X7DVP/ceIsXEl/dwRmz5h+qZlAzj0c2eNhR6Enk6X7bKmyEHxPobNHmxFCh8RwXO0=
X-Received: by 2002:a05:6e02:1749:b0:3da:71c7:5c7f with SMTP id
 e9e14a558f8ab-3df329e59b1mr11910445ab.15.1750807259803; Tue, 24 Jun 2025
 16:20:59 -0700 (PDT)
MIME-Version: 1.0
References: <65b65e9f-b4b0-4927-b872-d24dff11449b@crashdump.ch>
 <3352511.1750691111@sss.pgh.pa.us> <5f76056a-16b8-49a7-855d-2f8490a3cfe8@crashdump.ch>
In-Reply-To: <5f76056a-16b8-49a7-855d-2f8490a3cfe8@crashdump.ch>
From: Greg Sabino Mullane <htamfids@gmail.com>
Date: Tue, 24 Jun 2025 19:20:21 -0400
X-Gm-Features: Ac12FXzEPJh3fUXgxVO-Z30CMR4NtVVlcW57XmhpeqR1LYsOEVFeYw3cXWERk2k
Message-ID: <CAKAnmmLXLZT=UcTkHrU51Xm65ceQrT7ZCNXNHSRJS10zr7JRrw@mail.gmail.com>
Subject: Re: password rules
To: raphi <raphi@crashdump.ch>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-general@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000ca73bb063859944e"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAKAnmmLXLZT%3DUcTkHrU51Xm65ceQrT7ZCNXNHSRJS10zr7JRrw%40mail.gmail.com>
Precedence: bulk

--000000000000ca73bb063859944e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, Jun 23, 2025 at 2:45=E2=80=AFPM raphi <raphi@crashdump.ch> wrote:

> As of now though we cannot use PG for any PCI/DSS certified application
> because we can't enforce either complexity nor regular password changes,
>

You can, and many, many companies do, but you need a modern auth system
like Kerberos. Even if we were to put something into Postgres today (and
given the MFA and re-use requirements, it's near impossible), PCI DSS keeps
evolving and getting stricter, so keeping up with it would get harder with
each release.

Can I do something to help bringing these feature into PG? My C knowledge
> is very limited so I won't be able to provide a patch but I'd be more tha=
n
> happy to test it.


Your energy would be much better used in bringing Kerberos into your
organization. :)

Cheers,
Greg

--
Crunchy Data - https://www.crunchydata.com
Enterprise Postgres Software Products & Tech Support

--000000000000ca73bb063859944e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Mon, Jun 23, 2025 at 2:45=E2=80=AFPM r=
aphi &lt;<a href=3D"mailto:raphi@crashdump.ch">raphi@crashdump.ch</a>&gt; w=
rote:</div><div class=3D"gmail_quote gmail_quote_container"><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex">As of now though we cannot use PG for an=
y PCI/DSS certified application <br>
because we can&#39;t enforce either complexity nor regular password changes=
, <br>
</blockquote><div><br></div><div>You can, and many, many companies do, but =
you need a modern auth system like Kerberos. Even if we were to put somethi=
ng into Postgres today (and given the MFA and re-use requirements, it&#39;s=
 near impossible), PCI DSS keeps evolving and getting stricter, so keeping =
up with it would get harder with each release.</div><div><br></div><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px=
 solid rgb(204,204,204);padding-left:1ex">Can I do something to help bringi=
ng these feature into PG? My C knowledge is very limited so I won&#39;t be =
able to provide a patch but I&#39;d be more than happy to test it.</blockqu=
ote><div><br></div><div>Your energy would be much better used in bringing K=
erberos into your organization. :)</div><div><br></div><div>Cheers,</div><d=
iv>Greg</div><div><br></div></div><div dir=3D"ltr" class=3D"gmail_signature=
"><div dir=3D"ltr"><div>--</div><div>Crunchy Data - <a href=3D"https://www.=
crunchydata.com" target=3D"_blank">https://www.crunchydata.com</a></div><di=
v>Enterprise Postgres Software Products &amp; Tech Support</div><div><br></=
div></div></div></div>

--000000000000ca73bb063859944e--