passwordcheck extension
The passwordcheck PostgreSQL module provides a means to check user passwords whenever they are set with CREATE ROLE or ALTER ROLE. If a password is considered too weak, it will be rejected and the command will terminate with an error.
Enable passwordcheck
To enable the passwordcheck extension, add passwordcheck to shared_preload_libraries in the PostgreSQL server configuration parameters using the YB-TServer --ysql_pg_conf_csv flag:
--ysql_pg_conf_csv=shared_preload_libraries=passwordcheck
Note that modifying shared_preload_libraries requires restarting the YB-TServer.
Customize passwordcheck
You can customize the following passwordcheck parameters:
| Parameter | Description | Default |
|---|---|---|
| minimum_length | Minimum password length. | 8 |
| maximum_length | Maximum password length. | 15 |
| restrict_lower | Passwords must include a lowercase character. | true |
| restrict_upper | Passwords must include an uppercase character. | true |
| restrict_numbers | Passwords must include a number. | true |
| restrict_special | Passwords must include a special character. | true |
| special_chars | The set of special characters. | !@#$%^&*()_+{}|<>?= |
For example, the following flag changes the minimum and maximum passwordcheck lengths:
--ysql_pg_conf_csv=shared_preload_libraries=passwordcheck,passwordcheck.minimum_length=10,passwordcheck.maximum_length=18
Example
You can change passwordcheck parameters for the current session only using a SET statement. For example, to increase the maximum length allowed and not require numbers, execute the following commands:
SET passwordcheck.maximum_length TO 20;
SET passwordcheck.restrict_numbers TO false;
When enabled, if a password is considered too weak, it's rejected with an error. For example:
yugabyte=# create role test_role password 'tooshrt';
ERROR: password is too short
yugabyte=# create role test_role password 'nonumbers';
ERROR: password must contain both letters and nonletters
yugabyte=# create role test_role password '12test_role12';
ERROR: password must not contain user name
The passwordcheck extension only works for passwords that are provided in plain text. For more information, refer to the PostgreSQL passwordcheck documentation.