We have both regular accounts and system accounts. For regular accounts, we still require password complexity and the lockout functionality after multiple failed login attempts.
Again, what is the threat model here? Most people have their password in a .pgpass file or similar, so it seems this only adds complexity and annoyance without any real benefit.
However, for system accounts, due to information security regulations, password complexity is also required.
Yes, this makes sense.
The issue is that system accounts are used for system integration, and if the account gets locked, it may affect system services, which could lead to problems. To prevent this, we would like to exclude system accounts from being affected by the credcheck.max_auth_failure parameter.
I think we all understand that, but the extension as it exists now cannot do that. And the obvious and easiest solution is to stop using the denial of service feature, which I am hoping is NOT mandated by security regulations.
