passwordcheck

A contrib module for checking that user passwords meet certain criteria

passwordcheck is a contrib module for checking that user passwords meet certain criteria.

passwordcheck was added in PostgreSQL 9.0 to provide a sample implementation for code using the hook check_password_hook.

Usage

passwordcheck is activated by inclusion in shared_preload_libraries.

As-is, it performs a limited range of checks. In particular, it is only able to check that encrypted passwords do not match the username (any further checks would of course be impossible) and is of limited practical use in a real-world security environment. Given that PostgreSQL provides comparatively limited functionality for managing password validity, configuring an external authentication mechanism such as GSSAPI, SSPI, LDAP, or RADIUS is recommended.

Change history

passwordcheck has not been significantly modified since it was added in PostgreSQL 9.0.

Examples

passwordcheck must be enabled via shared_preload_libraries:

postgres=# SHOW shared_preload_libraries;
 shared_preload_libraries 
--------------------------
 passwordcheck
(1 row)

Example usage with passwords provided as plain text:

postgres=# ALTER ROLE foo PASSWORD 'foo';
ERROR:  password is too short

postgres=# ALTER ROLE postgres PASSWORD 'postgres';
ERROR:  password must not contain user name

postgres=# ALTER ROLE foo PASSWORD 'foobar';
ERROR:  password must not contain user name

postgres=# ALTER ROLE foo PASSWORD 'boobarbaz';
ERROR:  password must contain both letters and nonletters

With passwords provided in encrypted format, only a simple check that the password matches the username is possible:

postgres=# ALTER ROLE foo ENCRYPTED PASSWORD 'SCRAM-SHA-256$4096:eUHVJZ5WSsEomBt9BgHJzQ==$x57IR2ZcoKl8tlz5I2w636bquX3JmCYmi4LlDIa5lIY=:viXV52BLraOFRaw1gCp22K9VgLe6Rvi1nvcWNR6PTe4=';
ERROR:  password must not equal user name

Other passwords will be accepted as-is; here the value foobar (which would be rejected as plain text) is being passed as the encrypted password:

postgres=# ALTER ROLE foo ENCRYPTED PASSWORD 'SCRAM-SHA-256$4096:aiSTMi/J+KkJa9WFMgiahg==$f//pUq3yGJ6E8UbCxJWcGvnylc0aNuZR6WuLAcYSzWA=:yzMz+l1TIAYQ28tdQ2YopKwQiIjMwpGAariL2jmeaxU=';
ALTER ROLE

Categories

Authentication, Coding example, Contrib module

See also

check_password_hook