Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tNBqm-009BU9-Jk
	for pgsql-general@arkaria.postgresql.org; Mon, 16 Dec 2024 14:13:32 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tNBqk-007Dz9-6e
	for pgsql-general@arkaria.postgresql.org; Mon, 16 Dec 2024 14:13:31 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1tNBqj-007Dyz-Or
	for pgsql-general@lists.postgresql.org; Mon, 16 Dec 2024 14:13:31 +0000
Received: from mail-oo1-xc30.google.com ([2607:f8b0:4864:20::c30])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1tNBqi-0038AC-C7
	for pgsql-general@lists.postgresql.org; Mon, 16 Dec 2024 14:13:29 +0000
Received: by mail-oo1-xc30.google.com with SMTP id 006d021491bc7-5f321876499so1943938eaf.1
        for <pgsql-general@lists.postgresql.org>; Mon, 16 Dec 2024 06:13:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1734358407; x=1734963207; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=5i3Sy3Vj9EfDhoq+3VdYQn/OXe+XRB4ccCIS/mJRkes=;
        b=izzl0M7GoNAaPjsUu82bp5/r/vGm5KjgO+wzPQDz7Ru7Qfrs9OTrs3te4szqYnSpFx
         ItA5l1X//Bx8nCbd2wD5VdIncKVHeQX7dZJPjgKEpEmPQ5PKI8PUZ4LZnbgBjlrPeALJ
         T8b5N6Kyq91WNxCLeTmvqc3X+ZeIBFearAodsvMNb6RApXmOGMi0RrZy5Uffhd/Ahf9a
         xNpKyHBQWzx56dXUDZfDUEqVIG+AqvNW/hx4Ey2ayGmmbiPk+KvqVf8G7ZALJC1g5k73
         OV7syWCkQp/0J3px5ZF2NN1Z2MzS1ZE2gWvilO3lApUM8VKDNuOZFddhMTa5GihE3wbP
         4aNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734358407; x=1734963207;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=5i3Sy3Vj9EfDhoq+3VdYQn/OXe+XRB4ccCIS/mJRkes=;
        b=eu0BPuW7AOYkBTsHyHzf3tLDFb3iily2ffemJpGChb2k6WERepxOU/F99xq51IwLa/
         UGHqsrG7LkCpBsDPokvP6nU+O/Gl8YqI3QMzMBdfSwjIrQ+6HOw8CeBFYZerYMQIrNeR
         jKR9cpmT2r+9pWkk9KXzLfSWu3eocc3iBeTtEc7NHyN4hTWyVfc1ze/BTCdM6GYY/MYI
         wjKNVjyKTCUe/DiMpykPoQN7cYyuhVYMtsXdurBFNAXEW1XkAHrmeUNgpy1ZFSDUO6jT
         h+tkCEDtLShy2CSptfHDrxV8zeRvveR+57u8TMTwOKSV7dJMhUmr607XXiRMFZQLuB5E
         X9kg==
X-Forwarded-Encrypted: i=1; AJvYcCWEviulwLXtqTIvTCUEH8ukPDMZLd9HiPLaqg76a+U9vO9kQCLqigmAv7xeJNZenXFLLZBF+OsAdSsvwB2M@lists.postgresql.org
X-Gm-Message-State: AOJu0YzQXz3ZDF1zSe9MXltUq+PJre95EBPPN9cd4V7mGuf5euFoU0Eq
	XbrV9sgJ4GJVOoIbOMTJXLBdTZN4fSY1WqT+u2KJpyJlENqWmqglJ6LcBdbdyxmrHVJT0m6NsRa
	kjI/A5M7faGBltrxtnjCcdC5ydqRLgg==
X-Gm-Gg: ASbGncsoXU+uXyTGGg2s0Z8xKR3ZDJEY0O6DvrvwXwMQNqYzTyOj3QuPUOwL6BCADSX
	FGdcLqqyvV9MV25o7DKLNP6gG8Xi+0JW+7u48Jss=
X-Google-Smtp-Source: AGHT+IFKOT9TtEawXLfk0gFpRGHb7GRqt226StD5+xz0sSBTX5T9Sp2sWPXz2lvlxO0GmlNAz0KRPflpnbjD2sc2J8w=
X-Received: by 2002:a05:6870:4986:b0:277:d8c3:b539 with SMTP id
 586e51a60fabf-2a38554653bmr11587548fac.16.1734358407619; Mon, 16 Dec 2024
 06:13:27 -0800 (PST)
MIME-Version: 1.0
References: <CAFsaSDgSPjLOmk51fZt_zYPEUnFOCQ+92g_g2OSMjNbMa4h2xg@mail.gmail.com>
 <CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com>
 <CANzqJaDJ0_Aiih6X6AMfkRaWATFrHJMw_21oS-7im8JdN9SgrQ@mail.gmail.com>
 <20241213202348.jtchbb2lezbx2re6@hjp.at> <CAFsaSDgsJB9WpZSxspQ0CJAkT4OjGzdh+hLqnf=hinp-ywDU6g@mail.gmail.com>
 <CAKAnmmJQmpN14wCpOsM9mCEXagwWWONyA+BYszMQJ5ExxOEfXA@mail.gmail.com>
In-Reply-To: <CAKAnmmJQmpN14wCpOsM9mCEXagwWWONyA+BYszMQJ5ExxOEfXA@mail.gmail.com>
From: Ron Johnson <ronljohnsonjr@gmail.com>
Date: Mon, 16 Dec 2024 09:13:16 -0500
Message-ID: <CANzqJaB1mFKUP=_kFqg2CtSN6QSMkgsMTvYtQnoGJ7cLAhhjyQ@mail.gmail.com>
Subject: Re: Credcheck- credcheck.max_auth_failure
To: Greg Sabino Mullane <htamfids@gmail.com>
Cc: =?UTF-8?B?5by15a6455GL?= <kenny020307@gmail.com>, 
	pgsql-general@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000ccb345062963c842"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CANzqJaB1mFKUP%3D_kFqg2CtSN6QSMkgsMTvYtQnoGJ7cLAhhjyQ%40mail.gmail.com>
Precedence: bulk

--000000000000ccb345062963c842
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, Dec 16, 2024 at 8:10=E2=80=AFAM Greg Sabino Mullane <htamfids@gmail=
.com>
wrote:

> On Mon, Dec 16, 2024 at 5:32=E2=80=AFAM =E5=BC=B5=E5=AE=B8=E7=91=8B <kenn=
y020307@gmail.com> wrote:
>
>> We have both regular accounts and system accounts. For regular accounts,
>> we still require password complexity and the lockout functionality after
>> multiple failed login attempts.
>>
>
> Again, what is the threat model here?
>

I would not be surprised if the "threat model" is security auditors.


> Most people have their password in a .pgpass file or similar, so it seems
> this only adds complexity and annoyance without any real benefit.
>

Mostly, people *do not* log into our PG instances. 99% of connections are
from application service accounts via JDBC.

--=20
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

--000000000000ccb345062963c842
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Mon, Dec 16, 2024 at 8:10=E2=80=AFAM G=
reg Sabino Mullane &lt;<a href=3D"mailto:htamfids@gmail.com">htamfids@gmail=
.com</a>&gt; wrote:</div><div class=3D"gmail_quote gmail_quote_container"><=
blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l=
eft:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=
=3D"ltr">On Mon, Dec 16, 2024 at 5:32=E2=80=AFAM =E5=BC=B5=E5=AE=B8=E7=91=
=8B &lt;<a href=3D"mailto:kenny020307@gmail.com" target=3D"_blank">kenny020=
307@gmail.com</a>&gt; wrote:</div><div class=3D"gmail_quote"><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid=
 rgb(204,204,204);padding-left:1ex"><div><div>We have both regular accounts=
 and system accounts. For regular accounts, we still require password compl=
exity and the lockout functionality after multiple failed login attempts.</=
div></div></blockquote><div><br></div><div>Again, what is the threat model =
here? </div></div></div></blockquote><div><br></div><div>I would not be sur=
prised if the &quot;threat model&quot; is security auditors.</div><div>=C2=
=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8e=
x;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"=
><div class=3D"gmail_quote"><div>Most people have their password in a .pgpa=
ss file or similar, so it seems this only adds complexity and annoyance wit=
hout any real benefit.</div></div></div></blockquote><div><br></div><div>Mo=
stly, people <i>do not</i>=C2=A0log into our PG instances. 99% of connectio=
ns are from application service accounts via JDBC.</div><div><br></div></di=
v><span class=3D"gmail_signature_prefix">-- </span><br><div dir=3D"ltr" cla=
ss=3D"gmail_signature"><div dir=3D"ltr">Death to &lt;Redacted&gt;, and butt=
er sauce.<div>Don&#39;t boil me, I&#39;m still alive.<br><div><div>&lt;Reda=
cted&gt; lobster!</div></div></div></div></div></div>

--000000000000ccb345062963c842--