Skip to content
passwordpolicy

passwordpolicy

passwordpolicy : Dynamically configurable PostgreSQL password complexity checks.

Overview

ID Extension Package Version Category License Language
7040
passwordpolicy
passwordpolicy
2.0.5
SEC
PostgreSQL
C
Attribute Has Binary Has Library Need Load Has DDL Relocatable Trusted
--sLd-r
No
Yes
Yes
Yes
yes
no
Relationships
See Also
passwordcheck
passwordcheck_cracklib
credcheck

PGDG RPM and Pigsty DEB package fmbiete/passwordpolicy 2.0.5; requires shared_preload_libraries and cracklib runtime.

Packages

Type Repo Version PG Major Compatibility Package Pattern Dependencies
EXT
PGDG
2.0.5
18
17
16
15
14
passwordpolicy -
RPM
PGDG
2.0.5
18
17
16
15
14
passwordpolicy_$v cracklib
DEB
PIGSTY
2.0.5
18
17
16
15
14
postgresql-$v-passwordpolicy cracklib-runtime, libcrack2
Linux / PG PG18 PG17 PG16 PG15 PG14
el8.x86_64
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
el8.aarch64
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
el9.x86_64
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
el9.aarch64
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
el10.x86_64
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
el10.aarch64
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
PGDG 2.0.5
d12.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
d12.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
d13.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
d13.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u22.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u22.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u24.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u24.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u26.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u26.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
Package Version OS ORG SIZE File URL
passwordpolicy_18 2.0.5 el8.x86_64 pgdg 27.2 KiB passwordpolicy_18-2.0.5-1PGDG.rhel8.10.x86_64.rpm
passwordpolicy_18 2.0.5 el8.aarch64 pgdg 27.1 KiB passwordpolicy_18-2.0.5-1PGDG.rhel8.10.aarch64.rpm
passwordpolicy_18 2.0.5 el9.x86_64 pgdg 27.5 KiB passwordpolicy_18-2.0.5-1PGDG.rhel9.8.x86_64.rpm
passwordpolicy_18 2.0.5 el9.x86_64 pgdg 27.5 KiB passwordpolicy_18-2.0.5-1PGDG.rhel9.7.x86_64.rpm
passwordpolicy_18 2.0.5 el9.x86_64 pgdg 27.6 KiB passwordpolicy_18-2.0.5-1PGDG.rhel9.6.x86_64.rpm
passwordpolicy_18 2.0.5 el9.aarch64 pgdg 27.5 KiB passwordpolicy_18-2.0.5-1PGDG.rhel9.8.aarch64.rpm
passwordpolicy_18 2.0.5 el9.aarch64 pgdg 27.5 KiB passwordpolicy_18-2.0.5-1PGDG.rhel9.7.aarch64.rpm
passwordpolicy_18 2.0.5 el9.aarch64 pgdg 27.6 KiB passwordpolicy_18-2.0.5-1PGDG.rhel9.6.aarch64.rpm
passwordpolicy_18 2.0.5 el10.x86_64 pgdg 27.6 KiB passwordpolicy_18-2.0.5-1PGDG.rhel10.2.x86_64.rpm
passwordpolicy_18 2.0.5 el10.x86_64 pgdg 27.6 KiB passwordpolicy_18-2.0.5-1PGDG.rhel10.1.x86_64.rpm
passwordpolicy_18 2.0.5 el10.x86_64 pgdg 28.0 KiB passwordpolicy_18-2.0.5-1PGDG.rhel10.0.x86_64.rpm
passwordpolicy_18 2.0.5 el10.aarch64 pgdg 27.7 KiB passwordpolicy_18-2.0.5-1PGDG.rhel10.2.aarch64.rpm
passwordpolicy_18 2.0.5 el10.aarch64 pgdg 27.8 KiB passwordpolicy_18-2.0.5-1PGDG.rhel10.1.aarch64.rpm
passwordpolicy_18 2.0.5 el10.aarch64 pgdg 27.7 KiB passwordpolicy_18-2.0.5-1PGDG.rhel10.0.aarch64.rpm
postgresql-18-passwordpolicy 2.0.5 d12.x86_64 pigsty 51.9 KiB postgresql-18-passwordpolicy_2.0.5-1PIGSTY~bookworm_amd64.deb
postgresql-18-passwordpolicy 2.0.5 d12.aarch64 pigsty 51.3 KiB postgresql-18-passwordpolicy_2.0.5-1PIGSTY~bookworm_arm64.deb
postgresql-18-passwordpolicy 2.0.5 d13.x86_64 pigsty 51.8 KiB postgresql-18-passwordpolicy_2.0.5-1PIGSTY~trixie_amd64.deb
postgresql-18-passwordpolicy 2.0.5 d13.aarch64 pigsty 51.4 KiB postgresql-18-passwordpolicy_2.0.5-1PIGSTY~trixie_arm64.deb
postgresql-18-passwordpolicy 2.0.5 u22.x86_64 pigsty 55.6 KiB postgresql-18-passwordpolicy_2.0.5-1PIGSTY~jammy_amd64.deb
postgresql-18-passwordpolicy 2.0.5 u22.aarch64 pigsty 55.0 KiB postgresql-18-passwordpolicy_2.0.5-1PIGSTY~jammy_arm64.deb
postgresql-18-passwordpolicy 2.0.5 u24.x86_64 pigsty 54.2 KiB postgresql-18-passwordpolicy_2.0.5-1PIGSTY~noble_amd64.deb
postgresql-18-passwordpolicy 2.0.5 u24.aarch64 pigsty 54.1 KiB postgresql-18-passwordpolicy_2.0.5-1PIGSTY~noble_arm64.deb
postgresql-18-passwordpolicy 2.0.5 u26.x86_64 pigsty 53.9 KiB postgresql-18-passwordpolicy_2.0.5-1PIGSTY~resolute_amd64.deb
postgresql-18-passwordpolicy 2.0.5 u26.aarch64 pigsty 53.8 KiB postgresql-18-passwordpolicy_2.0.5-1PIGSTY~resolute_arm64.deb

Source

pig build pkg passwordpolicy;		# build rpm/deb

Install

Make sure PGDG repo available:

pig repo add pgdg -u    # add pgdg repo and update cache

Install this extension with pig:

pig install passwordpolicy;		# install via package name, for the active PG version

pig install passwordpolicy -v 18;   # install for PG 18
pig install passwordpolicy -v 17;   # install for PG 17
pig install passwordpolicy -v 16;   # install for PG 16
pig install passwordpolicy -v 15;   # install for PG 15
pig install passwordpolicy -v 14;   # install for PG 14

Config this extension to shared_preload_libraries:

shared_preload_libraries = '$libdir/passwordpolicy';

Create this extension with:

CREATE EXTENSION passwordpolicy;

Usage

Sources: README, v2.0.5 release, control file

passwordpolicy is a configurable replacement for PostgreSQL’s passwordcheck module. It checks passwords during CREATE ROLE and ALTER ROLE, can enforce password history and validity rules, and can simulate soft account locks after repeated failed logins.

Enable The Hook

Load the module before other password-check modules, then restart PostgreSQL:

shared_preload_libraries = 'passwordpolicy'

Install the SQL extension in the postgres database when using account soft-lock or password-history features:

CREATE EXTENSION passwordpolicy;

Password Complexity

Settings are dynamic, but new values apply to new sessions:

password_policy.min_password_len = 15
password_policy.min_special_chars = 1
password_policy.min_numbers = 1
password_policy.min_uppercase_letter = 1
password_policy.min_lowercase_letter = 1
password_policy.require_validuntil = off

Enable CrackLib dictionary checks only after creating the dictionary file:

password_policy.cracklib_dictpath = '/var/cache/cracklib/postgresql_dict'
password_policy.enable_dictionary_check = on

Soft Account Lock

Soft-locking tracks failed login attempts and delays/rejects responses after the configured threshold:

password_policy_lock.number_failures = 5
password_policy_lock.failure_delay = 5
password_policy_lock.auto_unlock = on
password_policy_lock.auto_unlock_after = 0
password_policy_lock.max_number_accounts = 100

Inspect and reset lock state:

SELECT * FROM passwordpolicy.accounts_locked() ORDER BY usename;
SELECT passwordpolicy.account_locked_reset('app_user');

If password_policy_lock.include_all = false, only roles listed in passwordpolicy.accounts_lockable are considered for soft-lock.

Password History

Password history stores recent password hashes in the postgres database and checks new passwords against them:

password_policy_history.max_password_history = 5
password_policy_history.max_number_accounts = 100

Caveats

  • Version 2.0.5 supports PostgreSQL 14-18.
  • This module must be preloaded; changing shared_preload_libraries requires a restart.
  • PostgreSQL cannot truly block authentication before it happens, so soft-lock simulates the lock by delaying and returning an error. It does not mitigate authentication DoS attacks.
  • Size password_policy_lock.max_number_accounts and password_policy_history.max_number_accounts realistically to avoid wasted memory or missed accounts.
Last updated on