passwordpolicy
Overview
| Package | Version | Category | License | Language |
|---|---|---|---|---|
passwordpolicy | 2.0.5 | SEC | PostgreSQL | C |
| ID | Extension | Bin | Lib | Load | Create | Trust | Reloc | Schema |
|---|---|---|---|---|---|---|---|---|
| 7040 | passwordpolicy | No | Yes | Yes | Yes | No | Yes | - |
| Related | passwordcheck passwordcheck_cracklib credcheck |
|---|
PGDG RPM and Pigsty DEB package fmbiete/passwordpolicy 2.0.5; requires shared_preload_libraries and cracklib runtime.
Version
| Type | Repo | Version | PG Ver | Package | Deps |
|---|---|---|---|---|---|
| EXT | PGDG | 2.0.5 | 1817161514 | passwordpolicy | - |
| RPM | PGDG | 2.0.5 | 1817161514 | passwordpolicy_$v | cracklib |
| DEB | PIGSTY | 2.0.5 | 1817161514 | postgresql-$v-passwordpolicy | cracklib-runtime, libcrack2 |
Build
You can build the RPM / DEB packages for passwordpolicy using pig build:
pig build pkg passwordpolicy # build RPM / DEB packages
Install
You can install passwordpolicy directly. First, make sure the PGDG repository is added and enabled:
pig repo add pgdg -u # Add PGDG repo and update cache
Install the extension using pig or apt/yum/dnf:
pig install passwordpolicy; # Install for current active PG version
pig ext install -y passwordpolicy -v 18 # PG 18
pig ext install -y passwordpolicy -v 17 # PG 17
pig ext install -y passwordpolicy -v 16 # PG 16
pig ext install -y passwordpolicy -v 15 # PG 15
pig ext install -y passwordpolicy -v 14 # PG 14
dnf install -y passwordpolicy_18 # PG 18
dnf install -y passwordpolicy_17 # PG 17
dnf install -y passwordpolicy_16 # PG 16
dnf install -y passwordpolicy_15 # PG 15
dnf install -y passwordpolicy_14 # PG 14
apt install -y postgresql-18-passwordpolicy # PG 18
apt install -y postgresql-17-passwordpolicy # PG 17
apt install -y postgresql-16-passwordpolicy # PG 16
apt install -y postgresql-15-passwordpolicy # PG 15
apt install -y postgresql-14-passwordpolicy # PG 14
Preload:
shared_preload_libraries = '$libdir/passwordpolicy';
Create Extension:
CREATE EXTENSION passwordpolicy;
Usage
Sources: README, v2.0.5 release, control file
passwordpolicy is a configurable replacement for PostgreSQL’s passwordcheck module. It checks passwords during CREATE ROLE and ALTER ROLE, can enforce password history and validity rules, and can simulate soft account locks after repeated failed logins.
Enable The Hook
Load the module before other password-check modules, then restart PostgreSQL:
shared_preload_libraries = 'passwordpolicy'
Install the SQL extension in the postgres database when using account soft-lock or password-history features:
CREATE EXTENSION passwordpolicy;
Password Complexity
Settings are dynamic, but new values apply to new sessions:
password_policy.min_password_len = 15
password_policy.min_special_chars = 1
password_policy.min_numbers = 1
password_policy.min_uppercase_letter = 1
password_policy.min_lowercase_letter = 1
password_policy.require_validuntil = off
Enable CrackLib dictionary checks only after creating the dictionary file:
password_policy.cracklib_dictpath = '/var/cache/cracklib/postgresql_dict'
password_policy.enable_dictionary_check = on
Soft Account Lock
Soft-locking tracks failed login attempts and delays/rejects responses after the configured threshold:
password_policy_lock.number_failures = 5
password_policy_lock.failure_delay = 5
password_policy_lock.auto_unlock = on
password_policy_lock.auto_unlock_after = 0
password_policy_lock.max_number_accounts = 100
Inspect and reset lock state:
SELECT * FROM passwordpolicy.accounts_locked() ORDER BY usename;
SELECT passwordpolicy.account_locked_reset('app_user');
If password_policy_lock.include_all = false, only roles listed in passwordpolicy.accounts_lockable are considered for soft-lock.
Password History
Password history stores recent password hashes in the postgres database and checks new passwords against them:
password_policy_history.max_password_history = 5
password_policy_history.max_number_accounts = 100
Caveats
- Version 2.0.5 supports PostgreSQL 14-18.
- This module must be preloaded; changing
shared_preload_librariesrequires a restart. - PostgreSQL cannot truly block authentication before it happens, so soft-lock simulates the lock by delaying and returning an error. It does not mitigate authentication DoS attacks.
- Size
password_policy_lock.max_number_accountsandpassword_policy_history.max_number_accountsrealistically to avoid wasted memory or missed accounts.
Feedback
Was this page helpful?
Thanks for the feedback! Please let us know how we can improve.
Sorry to hear that. Please let us know how we can improve.