December 17th, 2009 by depesz | Tags: , , , , | Comments Off on Waiting for 8.5 – checking password strength
Did it help? If yes - maybe you can help me?

On 18th of November Tom Lane committed patch by Laurenz Albe which adds very interesting capability:

Add a hook to CREATE/ALTER ROLE to allow an external module to check the
strength of database passwords, and create a sample implementation of
such a hook as a new contrib module "passwordcheck".
Laurenz Albe, reviewed by Takahiro Itagaki

So, the basic idea is thatit should be possible to check password for being strong. Or at least: strong enough. Up till now no such functionality existed.

But now, thanks to this new patch, we can do something like this:

First we need to enable the module. Edit postgresql.conf, and make sure it is there:

shared_preload_libraries = '$libdir/passwordcheck'

Now pg_ctl restart, and now:

# alter user depesz with password 'depesz';
ERROR:  password is too short
# alter user depesz with password 'depesz12';
ERROR:  password must not contain user name
# alter user depesz with password 'depesxxx';
ERROR:  password must contain both letters and nonletters

Default limits are:

  • minimum 8 characters
  • password cannot contain username
  • it must contain at least 1 letter and and least 1 non-letter

These limits are changable, but the beauty is that you can easily compile the passwordcheck contrib module with CrackLib support to get all of its power within PostgreSQL.

Sorry, comments for this post are disabled.