In the use of the Credcheck suite, the parameter "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to limit users from entering incorrect passwords more than three times, after which their account will be locked.
Won't that allow absolutely anyone to lock out anyone else, including admins/superusers? Sounds like a bad idea to me.
Isn't this a pretty common password setting? I know that for at least 35 years, and going back to the VAX/VMS days I've been locked out for X hours if I typed an invalid password. Same on Windows and I think also Linux (though ssh public keys and clients remembering passwords mean that rarely happens to me).
Due to certain requirements, I would like to ask if there is a way or feature to set this parameter differently for a specific user or role, so that it does not apply to them.
There is not, but there is always the credcheck.reset_superuser setting as an emergency measure. I'd keep the password complexity settings and not enable max_auth_failure at all, myself. Three strikes and you're out feels pretty draconian. Is there a particular threat model that is driving that?
