passwordcheck extension

This page documents the preview version (v2.23). Preview includes features under active development and is for development and testing only. For production, use the stable version (v2024.1). To learn more, see Versioning.

The passwordcheck PostgreSQL module provides a means to check user passwords whenever they are set with CREATE ROLE or ALTER ROLE. If a password is considered too weak, it will be rejected and the command will terminate with an error.

Enable passwordcheck

To enable the passwordcheck extension, add passwordcheck to shared_preload_libraries in the PostgreSQL server configuration parameters using the YB-TServer --ysql_pg_conf_csv flag:

--ysql_pg_conf_csv=shared_preload_libraries=passwordcheck

Note that modifying shared_preload_libraries requires restarting the YB-TServer.

Customize passwordcheck

You can customize the following passwordcheck parameters:

Parameter Description Default
minimum_length Minimum password length. 8
maximum_length Maximum password length. 15
restrict_lower Passwords must include a lowercase character. true
restrict_upper Passwords must include an uppercase character. true
restrict_numbers Passwords must include a number. true
restrict_special Passwords must include a special character. true
special_chars The set of special characters. !@#$%^&*()_+{}|<>?=

For example, the following flag changes the minimum and maximum passwordcheck lengths:

--ysql_pg_conf_csv=shared_preload_libraries=passwordcheck,passwordcheck.minimum_length=10,passwordcheck.maximum_length=18

Example

You can change passwordcheck parameters for the current session only using a SET statement. For example, to increase the maximum length allowed and not require numbers, execute the following commands:

SET passwordcheck.maximum_length TO 20;
SET passwordcheck.restrict_numbers TO false;

When enabled, if a password is considered too weak, it's rejected with an error. For example:

yugabyte=# create role test_role password 'tooshrt';
ERROR:  password is too short
yugabyte=# create role test_role password 'nonumbers';
ERROR:  password must contain both letters and nonletters
yugabyte=# create role test_role password '12test_role12';
ERROR:  password must not contain user name

The passwordcheck extension only works for passwords that are provided in plain text. For more information, refer to the PostgreSQL passwordcheck documentation.