Waiting for 8.5 – checking password strength

On 18th of November Tom Lane committed patch by Laurenz Albe which adds very interesting capability:

ADD a hook TO CREATE/ALTER ROLE TO allow an external module TO CHECK the
strength OF DATABASE passwords, AND CREATE a sample implementation OF
such a hook AS a NEW contrib module "passwordcheck".
Laurenz Albe, reviewed BY Takahiro Itagaki

So, the basic idea is thatit should be possible to check password for being strong. Or at least: strong enough. Up till now no such functionality existed.

But now, thanks to this new patch, we can do something like this:

First we need to enable the module. Edit postgresql.conf, and make sure it is there:

shared_preload_libraries = '$libdir/passwordcheck'

Now pg_ctl restart, and now:

# ALTER USER depesz WITH password 'depesz';
ERROR:  password IS too short
# ALTER USER depesz WITH password 'depesz12';
ERROR:  password must NOT contain USER name
# ALTER USER depesz WITH password 'depesxxx';
ERROR:  password must contain BOTH letters AND nonletters

Default limits are:

  • minimum 8 characters
  • password cannot contain username
  • it must contain at least 1 letter and and least 1 non-letter

These limits are changable, but the beauty is that you can easily compile the passwordcheck contrib module with CrackLib support to get all of its power within PostgreSQL.