public inbox for [email protected]
help / color / mirror / Atom feedFrom: raphi <[email protected]>
To: [email protected]
Subject: Re: password rules
Date: Sat, 28 Jun 2025 18:06:51 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
Am 28.06.2025 um 15:59 schrieb Peter J. Holzer:
> On 2025-06-27 19:00:36 +0200, raphi wrote:
>
>> It's the application's password that we want to ensure that it is
>> complex and gets changed after we set an initial password for it.
> Why let a human change that at all? Couldn't you just create a suitable
> random password at deployment time? (And then automatically every n
> months if you want to rotate it.)
>
Because someone has to configure the password in the application, mostly
within WLS or Tomcat and that's definitely not something that we DBA
want to touch, that's the devs job. Which means we would have to provide
some mechanism for the application to grab the password, say from a file
or something, which has it's own pitfalls. Not to mention that we DBA
usually don't want to know any application passwords. The only feasable
way to implement this is with hashicorp Vault or something similar, then
no one knows the password, neither DBA nor Dev and it would be
guaranteed that it's complex. And application maintenance by a dev
directly in the DB could then be made with personal logins via LDAP and
switching to the application role as you so splendidly described ;) Same
would be true for SSL certificates, only the application would need it
and the devs could login via LDAP.
have fun
raphi
view thread (2+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: password rules
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox