On 18th of November Tom Lane committed patch by Laurenz Albe which adds very interesting capability:
Add a hook to CREATE/ALTER ROLE to allow an external module to check the strength of database passwords, and create a sample implementation of such a hook as a new contrib module "passwordcheck". Laurenz Albe, reviewed by Takahiro Itagaki
So, the basic idea is thatit should be possible to check password for being strong. Or at least: strong enough. Up till now no such functionality existed.
But now, thanks to this new patch, we can do something like this:
First we need to enable the module. Edit postgresql.conf, and make sure it is there:
shared_preload_libraries = '$libdir/passwordcheck'
Now pg_ctl restart, and now:
# alter user depesz with password 'depesz'; ERROR: password is too short # alter user depesz with password 'depesz12'; ERROR: password must not contain user name # alter user depesz with password 'depesxxx'; ERROR: password must contain both letters and nonletters
Default limits are:
- minimum 8 characters
- password cannot contain username
- it must contain at least 1 letter and and least 1 non-letter
These limits are changable, but the beauty is that you can easily compile the passwordcheck contrib module with CrackLib support to get all of its power within PostgreSQL.