Check Password Security

This document describes the usage scenarios, methods, and limitations of the PasswordCheck plugin. PasswordCheck is a plugin included with the PostgreSQL kernel for checking the security of user passwords. Using this feature helps prevent weak password issues and improves the security of your database system.

Usage scenarios

When you set a password using SQL, such as with CREATE USER ... PASSWORD or ALTER USER ... PASSWORD, the password’s security is checked.

By default, the weak password check covers the following aspects:

  • The password must be at least 8 characters long.

  • The password must not contain the user name.

  • The password must contain both alphabetic and non-alphabetic characters.

When the passwordcheck.strict_policy parameter is enabled, the following stricter rules are enforced (these rules are hardcoded and cannot be modified):

  • The password must be at least 9 characters long.

  • The password must contain at least 2 uppercase letters.

  • The password must contain at least 2 lowercase letters.

  • The password must contain at least 2 numbers.

  • The password must contain at least 2 special characters.

How to use

To use the PasswordCheck plugin, choose one of the following methods:

  • Before starting the SynxDB cluster, manually edit the postgresql.conf file. Set the value of the shared_preload_libraries configuration parameter to passwordcheck and save the file. The PasswordCheck plugin will be loaded automatically when the cluster starts.

  • After the SynxDB cluster is running, use the following command to modify the shared_preload_libraries configuration parameter, and then restart the cluster:

    gpconfig -c shared_preload_libraries -v 'passwordcheck'
gpstop -ra

After the configuration is complete, PasswordCheck will perform a weak password check every time a password is set.

Enable strict password policy

After enabling the PasswordCheck plugin, you can further enable the strict password policy by setting the passwordcheck.strict_policy parameter. This parameter is off by default, which means the default PasswordCheck behavior applies.

To enable the strict password policy, run the following commands:

gpconfig -c passwordcheck.strict_policy -v on
gpstop -u

Limitations

PasswordCheck only supports weak password checks on unencrypted passwords; it does not support checks on encrypted passwords. For passwords encrypted with the MD5 or SCRAM algorithm, PasswordCheck only checks if the password is the same as the user name.