September 26, 2024: PostgreSQL 17 Released!

credcheck v1.0 released

Posted on 2023-04-06 by MigOps
Related Open Source

April 06, 2023

PostgreSQL credcheck extension

The credcheck PostgreSQL extension provides general credential checks, which will be evaluated during the user creation, during the password change and user renaming. By using this extension, a set of rules can be defined:

  • allow a specific set of credentials
  • reject a certain type of credentials
  • enforce use of an expiration date with a minimum of day for a password
  • define a password reuse policy

New release v1.0 adds a major feature called Password Reuse Policy and the ability to force the use of an expiration date for a password. It also prevent PostgreSQL to expose the password in the logs in case of error and fixes some issues reported by users since the past 6 months.

  • Add Password Reuse Policy feature. This implementation use a dedicated shared memory storage to share the password history between all database. It requires credcheck to loaded through shared_preload_libraries in postgresql.conf. The behavior of this feature can controlled by two settings:

    • credcheck.password_reuse_history: number of distinct passwords set before a password can be reused.

    • credcheck.password_reuse_interval: amount of time it takes before a password can be reused again.

  • Add possibility to enforce the use of an expiration date for a password with a life time of a specific number of days. Example: credcheck.password_valid_until = 60 the password life time must be at least of two months.

  • Allow credcheck to check the user name in CREATE USER statement without option PASSWORD.

  • Force credcheck settings to be set/changed only by a superuser.

  • Fix detection of the VALID UNTIL clause in CREATE ROLE.

  • Force PostgreSQL to not expose the password in the log when an error in CREATE/ALTER role occurs. This behavior can be disabled by setting the custom variable credcheck.no_password_logging to off.

  • Use errcode ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION (28000) for most error messages.

Complete list of changes is available here

Links & Credits

credcheck is an open project under the PostgreSQL license created at MigOps Inc. Any contribution to build a better tool is welcome. You can send your ideas, features requests or patches using the GitHub tools.

About credcheck

The credcheck extension is an original work of MigOps Inc, MigOPs is specialized in migration to PostgreSQL and PostgreSQL support. If you need more information please contact us

Documentation at https://github.com/MigOpsRepos/credcheck#readme