Magnus Hagander <magnus@hagander.net> writes:
> On Fri, Dec 16, 2022 at 4:16 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> You can fairly easily enforce password age limits in PG using the
>> ALTER USER ... VALID UNTIL option.
> The part about requiring repeated password changes is considered actively
> harmful these days, so it's definitely obsolete. (Note that this is
> different from the postgres setting for VALID UNTIL which is not about the
> password being valid until, it's about the entire user being valid until
> the specified time).
No, VALID UNTIL only applies to the password; you can log in via
non-password-based auth mechanisms regardless of that.
(I agree that forced password rotations are also an obsolete security
practice, but figured that one bit of push-back at a time was enough.)
> And of course in either case a proper solution like using gssapi/kerberos
> is the better choice.
Yeah, migrating to something like that would be best practice.
regards, tom lane
