Waiting for 8.5 – checking password strength

On 18th of November Tom Lane committed patch by Laurenz Albe which adds very interesting capability:

Add a hook to CREATE/ALTER ROLE to allow an external module to check the
strength of database passwords, and create a sample implementation of
such a hook as a new contrib module "passwordcheck".
Laurenz Albe, reviewed by Takahiro Itagaki

So, the basic idea is thatit should be possible to check password for being strong. Or at least: strong enough. Up till now no such functionality existed.

But now, thanks to this new patch, we can do something like this:

First we need to enable the module. Edit postgresql.conf, and make sure it is there:

shared_preload_libraries = '$libdir/passwordcheck'

Now pg_ctl restart, and now:

# alter user depesz with password 'depesz';
ERROR:  password is too short
# alter user depesz with password 'depesz12';
ERROR:  password must not contain user name
# alter user depesz with password 'depesxxx';
ERROR:  password must contain both letters and nonletters

Default limits are:

  • minimum 8 characters
  • password cannot contain username
  • it must contain at least 1 letter and and least 1 non-letter

These limits are changable, but the beauty is that you can easily compile the passwordcheck contrib module with CrackLib support to get all of its power within PostgreSQL.