select * from depesz; » Blog Archive » Waiting for 8.5

Waiting for 8.5 – checking password strength

December 17th, 2009 by depesz | Tags: cracklib, password, pg85, pg90, postgresql | No comments »

On 18th of November Tom Lane committed patch by Laurenz Albe which adds very interesting capability:

Add a hook to CREATE/ALTER ROLE to allow an external module to check the strength of database passwords, and create a sample implementation of such a hook as a new contrib module "passwordcheck". Laurenz Albe, reviewed by Takahiro Itagaki

So, the basic idea is thatit should be possible to check password for being strong. Or at least: strong enough. Up till now no such functionality existed.

But now, thanks to this new patch, we can do something like this:

First we need to enable the module. Edit postgresql.conf, and make sure it is there:

shared_preload_libraries = '$libdir/passwordcheck'

Now pg_ctl restart, and now:

# alter user depesz with password 'depesz'; ERROR: password is too short # alter user depesz with password 'depesz12'; ERROR: password must not contain user name # alter user depesz with password 'depesxxx'; ERROR: password must contain both letters and nonletters

Default limits are:

minimum 8 characters
password cannot contain username
it must contain at least 1 letter and and least 1 non-letter

These limits are changable, but the beauty is that you can easily compile the passwordcheck contrib module with CrackLib support to get all of its power within PostgreSQL.

Leave a comment

Search

Follow me

Translate

postgresql

About me

Theme