Durban, South Africa - October 19, 2025

PostgreSQL credcheck extension

The credcheck PostgreSQL extension provides few general credential checks, which will be evaluated during the user creation, during the password change and user renaming. By using this extension, we can define a set of rules:

• allow a specific set of credentials
• reject a certain type of credentials
• deny password that can be easily cracked
• enforce use of an expiration date with a minimum of day for a password
• define a password reuse policy
• define the number of authentication failure allowed before a user is banned
• define a delay on authentication failures
• force users to change their password after first login
• throw a warning N days before when the password user is about to expire

Release 4.1 has been published, it includes the following new features:

• At user creation and password change, credcheck automatically set the VALID UNTIL clause to now() + credcheck.password_valid_until days when it is present in the statement.
• Extend the functionality of 'username_contain' and 'username_not_contain' GUCs to allow users to use sub-strings instead of single characters only.
• Add feature to send a warning to the user N days before his password expires. The number of days before can be set using the credcheck.password_valid_warning setting. It is disabled by default. This is done using an event trigger up on login. The point is that the trigger must be set manually in all databases where you want enable this feature.
• Change the pg_banned_role view to display the rolename instead of the role oid.
• No more error are thrown when no VALID UNTIL clause are used in the CREATE/ALTER ROLE statements. It is set automatically when configuration directive password_valid_until is set to a value greater than 0.
• Prevent first login feature to be applied to white listed username.
• Add CI tests to automatically test credcheck with PostgreSQL > 13
• Add force password change at first logging feature. This feature allow to force the users to change their password after the account creation. This behavior is active when credcheck.password_change_first_login is enabled. It is also possible force any user to renew his password at any time using:

  ALTER USER user1 SET credcheck_internal.force_change_password = true;
  

The release note of version 3.0 has never been published so we summarize here the new feature brings by this version.

• Add new configuration variable to exclude some users from being banned. With credcheck.whitelist_auth_failure you can set a whitelist of usernames that must be excluded from this behavior. Example of use:

  credcheck.whitelist_auth_failure = 'appuser1,appuser2'

Upgrade require a PostgreSQL restart to reload the credcheck library.

Complete list of changes is available here

Links & Credits

credcheck is an open project under the PostgreSQL license maintained by HexaCluster. Any contribution to build a better tool is welcome. You can send your ideas, features requests or patches using the GitHub tools.

Links :

• Download: https://github.com/HexaCluster/credcheck/releases/
• Support: use GitHub report tool at https://github.com/HexaCluster/credcheck/issues

About credcheck

The credcheck extension is an original work of MigOps Inc, Since MigOPs is closed the extension is developed and maintained by Gilles Darold at https://hexacluster.ai. If you need more information please https://hexacluster.ai/contact-us/.

Documentation at https://github.com/HexaCluster/credcheck#readme