passwordcheck

checks user passwords and reject weak password

Overview

Package	Version	Category	License	Language
`passwordcheck`	`-`	SEC	PostgreSQL	C

ID	Extension	Bin	Lib	Load	Create	Trust	Reloc	Schema
7990	`passwordcheck`	No	Yes	Yes	No	No	No	-

Related	`pg_auth_mon` `credcheck` `pgaudit` `login_hook` `auth_delay` `set_user` `sepgsql`

Version

PG18	PG17	PG16	PG15	PG14
-	-	-	-	-

Install

Note: This is a built-in contrib extension of PostgreSQL

Usage

passwordcheck: Check password strength on CREATE/ALTER ROLE

passwordcheck validates password strength whenever passwords are set using CREATE ROLE or ALTER ROLE. Weak passwords are rejected with an error.

Configuration

Add to postgresql.conf:

shared_preload_libraries = 'passwordcheck'

Configuration Parameters

Parameter	Default	Description
`passwordcheck.min_password_length`	`8`	Minimum password length in bytes (superuser only)

How It Works

The module checks passwords set via CREATE ROLE or ALTER ROLE:

-- Rejected if password is too short or too weak
CREATE ROLE myuser WITH LOGIN PASSWORD 'abc';
-- ERROR: password is too short

-- Accepted with a strong enough password
CREATE ROLE myuser WITH LOGIN PASSWORD 'Str0ng_P@ssword!';

Default Checks

Without CrackLib, the module enforces:

Minimum password length (configurable via passwordcheck.min_password_length)
Password must not be the username
Basic complexity requirements

Limitations

Pre-encrypted passwords sent by client programs cannot be fully validated
The module can only guess the actual password from encrypted submissions
For stronger security, consider external authentication methods (e.g., GSSAPI)
No CREATE EXTENSION is required – this is a shared library module only

Feedback

Was this page helpful?

Thanks for the feedback! Please let us know how we can improve.

Sorry to hear that. Please let us know how we can improve.

Last Modified 2026-03-12: add pg extension catalog (95749bf)