passwordcheck extension
This page documents the preview version (v2.23). Preview includes features under active development and is for development and testing only. For production, use the stable version (v2024.1). To learn more, see Versioning.
The passwordcheck PostgreSQL module provides a means to check user passwords whenever they are set with CREATE ROLE or ALTER ROLE. If a password is considered too weak, it will be rejected and the command will terminate with an error.
Enable passwordcheck
To enable the passwordcheck extension, add passwordcheck
to shared_preload_libraries
in the PostgreSQL server configuration parameters using the YB-TServer --ysql_pg_conf_csv flag:
--ysql_pg_conf_csv=shared_preload_libraries=passwordcheck
Note that modifying shared_preload_libraries
requires restarting the YB-TServer.
Customize passwordcheck
You can customize the following passwordcheck parameters:
Parameter | Description | Default |
---|---|---|
minimum_length | Minimum password length. | 8 |
maximum_length | Maximum password length. | 15 |
restrict_lower | Passwords must include a lowercase character. | true |
restrict_upper | Passwords must include an uppercase character. | true |
restrict_numbers | Passwords must include a number. | true |
restrict_special | Passwords must include a special character. | true |
special_chars | The set of special characters. | !@#$%^&*()_+{}|<>?= |
For example, the following flag changes the minimum and maximum passwordcheck lengths:
--ysql_pg_conf_csv=shared_preload_libraries=passwordcheck,passwordcheck.minimum_length=10,passwordcheck.maximum_length=18
Example
You can change passwordcheck parameters for the current session only using a SET
statement. For example, to increase the maximum length allowed and not require numbers, execute the following commands:
SET passwordcheck.maximum_length TO 20;
SET passwordcheck.restrict_numbers TO false;
When enabled, if a password is considered too weak, it's rejected with an error. For example:
yugabyte=# create role test_role password 'tooshrt';
ERROR: password is too short
yugabyte=# create role test_role password 'nonumbers';
ERROR: password must contain both letters and nonletters
yugabyte=# create role test_role password '12test_role12';
ERROR: password must not contain user name
The passwordcheck extension only works for passwords that are provided in plain text. For more information, refer to the PostgreSQL passwordcheck documentation.