Record last password change

From: Michael Banck <michael(dot)banck(at)credativ(dot)de>
To: Postgres hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Record last password change
Date: 2018-12-11 10:33:51
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers


a customer recently mentioned that they'd like to be able to see when a
(md5, scram) role had their password last changed. 

Use-cases for this would be issueing an initial password and then later
making sure it got changed, or auditing that all passwords get changed
once a year. You can do that via external authentication methods like
ldap/gss-api/pam but in some setups those might not be available to the

I guess it would amount to adding a column like rolpasswordchanged to
pg_authid and updating it when rolpassword changes, but maybe there is a
better way?

The same was requested in
how-to-know-when-postgresql-password-is-changed so I was wondering
whether this would be a welcome change/addition, or whether people think
it's not worth bothering to implement it?



Michael Banck
Projektleiter / Senior Berater
Tel.: +49 2166 9901-171
Fax: +49 2166 9901-100
Email: michael(dot)banck(at)credativ(dot)de

credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer

Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen:


Browse pgsql-hackers by date

  From Date Subject
Next Message Gavin Flower 2018-12-11 10:45:29 Re: Record last password change
Previous Message Sergei Kornilov 2018-12-11 10:16:23 Re: allow online change primary_conninfo