The credcheck PostgreSQL extension provides few general credential checks, which will be evaluated during the user creation, during the password change and user renaming. By using this extension, we can define a set of rules:
allow a specific set of credentials
reject a certain type of credentials
deny password that can be easily cracked
enforce use of an expiration date with a minimum of day for a password
define a password reuse policy
define the number of authentication failure allowed before a user is banned
define a delay on authentication failures
force users to change their password after first login
throw a warning N days before when the password user is about to expire
Release 4.5 has been published, it fixes several issues reported by users since last release.
Fix error cannot change data type of view column "roleid" from oid to regrole.
Add missing upgrade SQL file from 4.3 to 4.4.
Fix error when the user want to modify his password and credcheck.password_valid_until option is set. As we modify the VALID UNTIL clause it will generate an error message when the user changes his password: Only roles with the CREATEROLE attribute and the ADMIN option on role "..." may alter this role.
Set the tzp argument in timestamp2tm() call to apply timezone to converted timestamp.
Upgrade require a PostgreSQL restart to reload the credcheck library.
Complete list of changes and acknowledgements are available here
Links & Credits
credcheck is an open project under the PostgreSQL license maintained by HexaCluster. Any contribution to build a better tool is welcome. You can send your ideas, features requests or patches using the GitHub tools.