passwordcheck extension

The passwordcheck PostgreSQL module provides a means to check user passwords whenever they are set with CREATE ROLE or ALTER ROLE. If a password is considered too weak, it will be rejected and the command will terminate with an error.

Enable passwordcheck

To enable the passwordcheck extension, add passwordcheck to shared_preload_libraries in the PostgreSQL server configuration parameters using the YB-TServer --ysql_pg_conf_csv flag:

--ysql_pg_conf_csv=shared_preload_libraries=passwordcheck

Note that modifying shared_preload_libraries requires restarting the YB-TServer.

Customize passwordcheck

You can customize the following passwordcheck parameters:

Parameter Description Default
minimum_length Minimum password length. 8
maximum_length Maximum password length. 15
restrict_lower Passwords must include a lowercase character. true
restrict_upper Passwords must include an uppercase character. true
restrict_numbers Passwords must include a number. true
restrict_special Passwords must include a special character. true
special_chars The set of special characters. !@#$%^&*()_+{}|<>?=

For example, the following flag changes the minimum and maximum passwordcheck lengths:

--ysql_pg_conf_csv=shared_preload_libraries=passwordcheck,passwordcheck.minimum_length=10,passwordcheck.maximum_length=18

Example

You can change passwordcheck parameters for the current session only using a SET statement. For example, to increase the maximum length allowed and not require numbers, execute the following commands:

SET passwordcheck.maximum_length TO 20;
SET passwordcheck.restrict_numbers TO false;

When enabled, if a password is considered too weak, it's rejected with an error. For example:

yugabyte=# create role test_role password 'tooshrt';
ERROR:  password is too short
yugabyte=# create role test_role password 'nonumbers';
ERROR:  password must contain both letters and nonletters
yugabyte=# create role test_role password '12test_role12';
ERROR:  password must not contain user name

The passwordcheck extension only works for passwords that are provided in plain text. For more information, refer to the PostgreSQL passwordcheck documentation.