On 18th of November Tom Lane committed patch by Laurenz Albe which adds very interesting capability:
ADD a hook TO CREATE/ALTER ROLE TO allow an external module TO CHECK the strength OF DATABASE passwords, AND CREATE a sample implementation OF such a hook AS a NEW contrib module "passwordcheck". Laurenz Albe, reviewed BY Takahiro Itagaki
So, the basic idea is thatit should be possible to check password for being strong. Or at least: strong enough. Up till now no such functionality existed.
But now, thanks to this new patch, we can do something like this:
First we need to enable the module. Edit postgresql.conf, and make sure it is there:
shared_preload_libraries = '$libdir/passwordcheck'
Now pg_ctl restart, and now:
# ALTER USER depesz WITH password 'depesz'; ERROR: password IS too short # ALTER USER depesz WITH password 'depesz12'; ERROR: password must NOT contain USER name # ALTER USER depesz WITH password 'depesxxx'; ERROR: password must contain BOTH letters AND nonletters
Default limits are:
- minimum 8 characters
- password cannot contain username
- it must contain at least 1 letter and and least 1 non-letter
These limits are changable, but the beauty is that you can easily compile the passwordcheck contrib module with CrackLib support to get all of its power within PostgreSQL.