Re: How to deny user changing his own password? - Mailing list pgsql-general

From Tom Lane
Subject Re: How to deny user changing his own password?
Date
Msg-id 29671.1054238457@sss.pgh.pa.us
Whole thread Raw
In response to Re: How to deny user changing his own password?  (Bruno Wolff III <bruno@wolff.to>)
Responses Re: How to deny user changing his own password?
List pgsql-general
Bruno Wolff III <bruno@wolff.to> writes:
>   nolan@celery.tssi.com wrote:
>> I could see some merit to a 'LOCK' option on the alter user command, so that
>> the password can only be changed by a superuser.

> That would only be useful if the account was shared, which is normally a bad
> idea.

It'd seem to me that once a bad guy has gotten into your database,
whether he can change a password is the least of your worries.
The people you'd really want to be afraid of would not call attention
to their breakin by doing anything as blatantly obvious as that, anyway.

In short, I don't see any value in a password lock option either.
And ISTM anyplace that used it would be getting in the way of good
password management practice.  Users *should* be encouraged to change
their own passwords, and to do so regularly.

            regards, tom lane

pgsql-general by date:

Previous
From: Network Administrator
Date:
Subject: Re: How to deny user changing his own password?
Next
From: Franco Bruno Borghesi
Date:
Subject: Re: postgresql 7.3.3