Re: password rules

Am 28.06.2025 um 15:59 schrieb Peter J. Holzer:
> On 2025-06-27 19:00:36 +0200, raphi wrote:
>
>> It's the application's password that we want to ensure that it is
>> complex and gets changed after we set an initial password for it.
> Why let a human change that at all? Couldn't you just create a suitable
> random password at deployment time? (And then automatically every n
> months if you want to rotate it.)
>
Because someone has to configure the password in the application, mostly 
within WLS or Tomcat and that's definitely not something that we DBA 
want to touch, that's the devs job. Which means we would have to provide 
some mechanism for the application to grab the password, say from a file 
or something, which has it's own pitfalls. Not to mention that we DBA 
usually don't want to know any application passwords. The only feasable 
way to implement this is with hashicorp Vault or something similar, then 
no one knows the password, neither DBA nor Dev and it would be 
guaranteed that it's complex. And application maintenance by a dev 
directly in the DB could then be made with personal logins via LDAP and 
switching to the application role as you so splendidly described ;) Same 
would be true for SSL certificates, only the application would need it 
and the devs could login via LDAP.

have fun
raphi