passwordcheck is a contrib module for checking that user passwords meet certain criteria.
passwordcheck is activated by inclusion in
As-is, it performs a limited range of checks. In particular, it is only able to check that encrypted passwords do not match the username (any further checks would of course be impossible) and is of limited practical use in a real-world security environment. Given that PostgreSQL provides comparatively limited functionality for managing password validity, configuring an external authentication mechanism such as GSSAPI, SSPI, LDAP, or RADIUS is recommended.
passwordcheck has not been significantly modified since it was added in PostgreSQL 9.0.
passwordcheck must be enabled via
postgres=# SHOW shared_preload_libraries; shared_preload_libraries -------------------------- passwordcheck (1 row)
Example usage with passwords provided as plain text:
postgres=# ALTER ROLE foo PASSWORD 'foo'; ERROR: password is too short postgres=# ALTER ROLE postgres PASSWORD 'postgres'; ERROR: password must not contain user name postgres=# ALTER ROLE foo PASSWORD 'foobar'; ERROR: password must not contain user name postgres=# ALTER ROLE foo PASSWORD 'boobarbaz'; ERROR: password must contain both letters and nonletters
With passwords provided in encrypted format, only a simple check that the password matches the username is possible:
postgres=# ALTER ROLE foo ENCRYPTED PASSWORD 'SCRAM-SHA-256$4096:eUHVJZ5WSsEomBt9BgHJzQ==$x57IR2ZcoKl8tlz5I2w636bquX3JmCYmi4LlDIa5lIY=:viXV52BLraOFRaw1gCp22K9VgLe6Rvi1nvcWNR6PTe4='; ERROR: password must not equal user name
Other passwords will be accepted as-is; here the value
foobar (which would be rejected as plain text) is being passed as the encrypted password:
postgres=# ALTER ROLE foo ENCRYPTED PASSWORD 'SCRAM-SHA-256$4096:aiSTMi/J+KkJa9WFMgiahg==$f//pUq3yGJ6E8UbCxJWcGvnylc0aNuZR6WuLAcYSzWA=:yzMz+l1TIAYQ28tdQ2YopKwQiIjMwpGAariL2jmeaxU='; ALTER ROLE