passwordpolicy
passwordpolicy : Dynamically configurable PostgreSQL password complexity checks.
Overview
| ID | Extension | Package | Version | Category | License | Language |
|---|---|---|---|---|---|---|
| 7040 | passwordpolicy
|
passwordpolicy
|
2.0.5 |
SEC
|
PostgreSQL
|
C
|
| Attribute | Has Binary | Has Library | Need Load | Has DDL | Relocatable | Trusted |
|---|---|---|---|---|---|---|
--sLd-r
|
No
|
Yes
|
Yes
|
Yes
|
yes
|
no
|
| Relationships | |
|---|---|
| See Also | passwordcheck
passwordcheck_cracklib
credcheck
|
PGDG RPM and Pigsty DEB package fmbiete/passwordpolicy 2.0.5; requires shared_preload_libraries and cracklib runtime.
Packages
| Type | Repo | Version | PG Major Compatibility | Package Pattern | Dependencies |
|---|---|---|---|---|---|
| EXT | PGDG
|
2.0.5 |
18
17
16
15
14
|
passwordpolicy |
- |
| RPM | PGDG
|
2.0.5 |
18
17
16
15
14
|
passwordpolicy_$v |
cracklib |
| DEB | PIGSTY
|
2.0.5 |
18
17
16
15
14
|
postgresql-$v-passwordpolicy |
cracklib-runtime, libcrack2 |
| Linux / PG | PG18 | PG17 | PG16 | PG15 | PG14 |
|---|---|---|---|---|---|
el8.x86_64
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
el8.aarch64
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
el9.x86_64
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
el9.aarch64
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
el10.x86_64
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
el10.aarch64
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
PGDG 2.0.5
|
d12.x86_64
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
d12.aarch64
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
d13.x86_64
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
d13.aarch64
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
u22.x86_64
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
u22.aarch64
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
u24.x86_64
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
u24.aarch64
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
u26.x86_64
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
u26.aarch64
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
PIGSTY 2.0.5
|
Source
pig build pkg passwordpolicy; # build rpm/debInstall
Make sure PGDG repo available:
pig repo add pgdg -u # add pgdg repo and update cacheInstall this extension with pig:
pig install passwordpolicy; # install via package name, for the active PG version
pig install passwordpolicy -v 18; # install for PG 18
pig install passwordpolicy -v 17; # install for PG 17
pig install passwordpolicy -v 16; # install for PG 16
pig install passwordpolicy -v 15; # install for PG 15
pig install passwordpolicy -v 14; # install for PG 14Config this extension to shared_preload_libraries:
shared_preload_libraries = '$libdir/passwordpolicy';Create this extension with:
CREATE EXTENSION passwordpolicy;Usage
Sources: README, v2.0.5 release, control file
passwordpolicy is a configurable replacement for PostgreSQL’s passwordcheck module. It checks passwords during CREATE ROLE and ALTER ROLE, can enforce password history and validity rules, and can simulate soft account locks after repeated failed logins.
Enable The Hook
Load the module before other password-check modules, then restart PostgreSQL:
shared_preload_libraries = 'passwordpolicy'Install the SQL extension in the postgres database when using account soft-lock or password-history features:
CREATE EXTENSION passwordpolicy;Password Complexity
Settings are dynamic, but new values apply to new sessions:
password_policy.min_password_len = 15
password_policy.min_special_chars = 1
password_policy.min_numbers = 1
password_policy.min_uppercase_letter = 1
password_policy.min_lowercase_letter = 1
password_policy.require_validuntil = offEnable CrackLib dictionary checks only after creating the dictionary file:
password_policy.cracklib_dictpath = '/var/cache/cracklib/postgresql_dict'
password_policy.enable_dictionary_check = onSoft Account Lock
Soft-locking tracks failed login attempts and delays/rejects responses after the configured threshold:
password_policy_lock.number_failures = 5
password_policy_lock.failure_delay = 5
password_policy_lock.auto_unlock = on
password_policy_lock.auto_unlock_after = 0
password_policy_lock.max_number_accounts = 100Inspect and reset lock state:
SELECT * FROM passwordpolicy.accounts_locked() ORDER BY usename;
SELECT passwordpolicy.account_locked_reset('app_user');If password_policy_lock.include_all = false, only roles listed in passwordpolicy.accounts_lockable are considered for soft-lock.
Password History
Password history stores recent password hashes in the postgres database and checks new passwords against them:
password_policy_history.max_password_history = 5
password_policy_history.max_number_accounts = 100Caveats
- Version 2.0.5 supports PostgreSQL 14-18.
- This module must be preloaded; changing
shared_preload_librariesrequires a restart. - PostgreSQL cannot truly block authentication before it happens, so soft-lock simulates the lock by delaying and returning an error. It does not mitigate authentication DoS attacks.
- Size
password_policy_lock.max_number_accountsandpassword_policy_history.max_number_accountsrealistically to avoid wasted memory or missed accounts.