| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Bruno Wolff III <bruno(at)wolff(dot)to> |
| Cc: | nolan(at)celery(dot)tssi(dot)com, pgsql general list <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: How to deny user changing his own password? |
| Date: | 2003-05-29 20:00:57 |
| Message-ID: | 29671.1054238457@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Bruno Wolff III <bruno(at)wolff(dot)to> writes:
> nolan(at)celery(dot)tssi(dot)com wrote:
>> I could see some merit to a 'LOCK' option on the alter user command, so that
>> the password can only be changed by a superuser.
> That would only be useful if the account was shared, which is normally a bad
> idea.
It'd seem to me that once a bad guy has gotten into your database,
whether he can change a password is the least of your worries.
The people you'd really want to be afraid of would not call attention
to their breakin by doing anything as blatantly obvious as that, anyway.
In short, I don't see any value in a password lock option either.
And ISTM anyplace that used it would be getting in the way of good
password management practice. Users *should* be encouraged to change
their own passwords, and to do so regularly.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | scott.marlowe | 2003-05-29 20:31:11 | Re: FW: Blocking access to the database?? |
| Previous Message | Franco Bruno Borghesi | 2003-05-29 20:00:48 | Re: problem delete record error:heap_mark4update |