passwordpolicy

Dynamically configurable PostgreSQL password complexity checks.

Overview

PackageVersionCategoryLicenseLanguage
passwordpolicy2.0.5SECPostgreSQLC
IDExtensionBinLibLoadCreateTrustRelocSchema
7040passwordpolicyNoYesYesYesNoYes-
Relatedpasswordcheck passwordcheck_cracklib credcheck

PGDG RPM and Pigsty DEB package fmbiete/passwordpolicy 2.0.5; requires shared_preload_libraries and cracklib runtime.

Version

TypeRepoVersionPG VerPackageDeps
EXTPGDG2.0.51817161514passwordpolicy-
RPMPGDG2.0.51817161514passwordpolicy_$vcracklib
DEBPIGSTY2.0.51817161514postgresql-$v-passwordpolicycracklib-runtime, libcrack2
OS / PGPG18PG17PG16PG15PG14
el8.x86_64
el8.aarch64
el9.x86_64
el9.aarch64
el10.x86_64
el10.aarch64
d12.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
d12.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
d13.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
d13.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u22.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u22.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u24.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u24.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u26.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u26.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5

Build

You can build the RPM / DEB packages for passwordpolicy using pig build:

pig build pkg passwordpolicy         # build RPM / DEB packages

Install

You can install passwordpolicy directly. First, make sure the PGDG repository is added and enabled:

pig repo add pgdg -u          # Add PGDG repo and update cache

Install the extension using pig or apt/yum/dnf:

pig install passwordpolicy;          # Install for current active PG version
pig ext install -y passwordpolicy -v 18  # PG 18
pig ext install -y passwordpolicy -v 17  # PG 17
pig ext install -y passwordpolicy -v 16  # PG 16
pig ext install -y passwordpolicy -v 15  # PG 15
pig ext install -y passwordpolicy -v 14  # PG 14
dnf install -y passwordpolicy_18       # PG 18
dnf install -y passwordpolicy_17       # PG 17
dnf install -y passwordpolicy_16       # PG 16
dnf install -y passwordpolicy_15       # PG 15
dnf install -y passwordpolicy_14       # PG 14
apt install -y postgresql-18-passwordpolicy   # PG 18
apt install -y postgresql-17-passwordpolicy   # PG 17
apt install -y postgresql-16-passwordpolicy   # PG 16
apt install -y postgresql-15-passwordpolicy   # PG 15
apt install -y postgresql-14-passwordpolicy   # PG 14

Preload:

shared_preload_libraries = '$libdir/passwordpolicy';

Create Extension:

CREATE EXTENSION passwordpolicy;

Usage

Sources: README, v2.0.5 release, control file

passwordpolicy is a configurable replacement for PostgreSQL’s passwordcheck module. It checks passwords during CREATE ROLE and ALTER ROLE, can enforce password history and validity rules, and can simulate soft account locks after repeated failed logins.

Enable The Hook

Load the module before other password-check modules, then restart PostgreSQL:

shared_preload_libraries = 'passwordpolicy'

Install the SQL extension in the postgres database when using account soft-lock or password-history features:

CREATE EXTENSION passwordpolicy;

Password Complexity

Settings are dynamic, but new values apply to new sessions:

password_policy.min_password_len = 15
password_policy.min_special_chars = 1
password_policy.min_numbers = 1
password_policy.min_uppercase_letter = 1
password_policy.min_lowercase_letter = 1
password_policy.require_validuntil = off

Enable CrackLib dictionary checks only after creating the dictionary file:

password_policy.cracklib_dictpath = '/var/cache/cracklib/postgresql_dict'
password_policy.enable_dictionary_check = on

Soft Account Lock

Soft-locking tracks failed login attempts and delays/rejects responses after the configured threshold:

password_policy_lock.number_failures = 5
password_policy_lock.failure_delay = 5
password_policy_lock.auto_unlock = on
password_policy_lock.auto_unlock_after = 0
password_policy_lock.max_number_accounts = 100

Inspect and reset lock state:

SELECT * FROM passwordpolicy.accounts_locked() ORDER BY usename;
SELECT passwordpolicy.account_locked_reset('app_user');

If password_policy_lock.include_all = false, only roles listed in passwordpolicy.accounts_lockable are considered for soft-lock.

Password History

Password history stores recent password hashes in the postgres database and checks new passwords against them:

password_policy_history.max_password_history = 5
password_policy_history.max_number_accounts = 100

Caveats

  • Version 2.0.5 supports PostgreSQL 14-18.
  • This module must be preloaded; changing shared_preload_libraries requires a restart.
  • PostgreSQL cannot truly block authentication before it happens, so soft-lock simulates the lock by delaying and returning an error. It does not mitigate authentication DoS attacks.
  • Size password_policy_lock.max_number_accounts and password_policy_history.max_number_accounts realistically to avoid wasted memory or missed accounts.

Last Modified 2026-07-01: routine extension udpate (aed637d)