passwordcheck

Extensions

passwordcheck

passwordcheck : checks user passwords and reject weak password

Overview

ID	Extension	Package	Version	Category	License	Language
7990	passwordcheck	passwordcheck	`-`	SEC	PostgreSQL	C

Attribute	Has Binary	Has Library	Need Load	Has DDL	Relocatable	Trusted
--sL---	No	Yes	Yes	No	no	no

Relationships
See Also	pg_auth_mon credcheck pgaudit login_hook auth_delay set_user sepgsql

Packages

PG18	PG17	PG16	PG15	PG14
-	-	-	-	-

This is a built-in contrib extension ship with the PostgreSQL kernel

Install

Config this extension to shared_preload_libraries:

shared_preload_libraries = '$libdir/passwordcheck';

This extension does not need CREATE EXTENSION DDL command

Usage

passwordcheck: Check password strength on CREATE/ALTER ROLE

passwordcheck validates password strength whenever passwords are set using CREATE ROLE or ALTER ROLE. Weak passwords are rejected with an error.

Configuration

Add to postgresql.conf:

shared_preload_libraries = 'passwordcheck'

Configuration Parameters

Parameter	Default	Description
`passwordcheck.min_password_length`	`8`	Minimum password length in bytes (superuser only)

How It Works

The module checks passwords set via CREATE ROLE or ALTER ROLE:

-- Rejected if password is too short or too weak
CREATE ROLE myuser WITH LOGIN PASSWORD 'abc';
-- ERROR: password is too short

-- Accepted with a strong enough password
CREATE ROLE myuser WITH LOGIN PASSWORD 'Str0ng_P@ssword!';

Default Checks

Without CrackLib, the module enforces:

Minimum password length (configurable via passwordcheck.min_password_length)
Password must not be the username
Basic complexity requirements

Limitations

Pre-encrypted passwords sent by client programs cannot be fully validated
The module can only guess the actual password from encrypted submissions
For stronger security, consider external authentication methods (e.g., GSSAPI)
No CREATE EXTENSION is required – this is a shared library module only

Last updated on 2026-03-24

pgcrypto wrappers