credcheck v2.0.0 released

Posted on 2023-06-12 by Gilles Darold
Related Open Source

Casablanca, Maroc - June 10, 2023

PostgreSQL credcheck extension

The credcheck PostgreSQL extension provides few general credential checks, which will be evaluated during the user creation, during the password change and user renaming. By using this extension, we can define a set of rules:

  • allow a specific set of credentials
  • reject a certain type of credentials
  • enforce use of an expiration date with a minimum of day for a password
  • define a password reuse policy
  • define the number of authentication failure allowed before a user is banned

Release v2.0.0 adds a major feature and the compatibility with PostgreSQL 16. Upgrade require a PostgreSQL restart to reload the credcheck library.

  • Add "Authentication failure ban" new feature

    PostgreSQL doesn't have any mechanism to limit the number of authentication failure attempt before the user being banned. With the credcheck extension, after an amount of authentication failure defined by configuration directive credcheck.max_auth_failure the user can be banned and never connect anymore even if it gives the right password later. This feature requires that the credcheck extension to be added to to shared_preload_libraries configuration option.

    All users authentication failures are registered in shared memory with the timestamps of when the user have been banned. The authentication failures history is saved into memory only, that mean that the history is lost at PostgreSQL restart. I have not seen the interest for the moment to restore the cache at startup.

    The authentication failure cache size is set to 1024 records by default and can be adjusted using the credcheck.auth_failure_cache_size configuration directive. Change of this GUC require a PostgreSQL restart.

    Two settings allow to control the behavior of this feature:

    • credcheck.max_auth_failure: number of authentication failure allowed for a user before being banned.
    • credcheck.reset_superuser : force superuser to not be banned or reset a banned superuser when set to true.

    The default value for the first setting is 0 which means that authentication failure ban feature is disabled. The default value for the second setting is false which means that postgres superuser can be banned.

    In case the postgres superuser was banned, he can not logged anymore. If there is no other superuser account that can be used to reset the record of the banned superuser, set the credcheck.reset_superuserconfiguration directive to true into postgresql.conf file and send the SIGHUP signal to the PostgreSQL process pid so that it will reread the configuration. Next time the superuser will try to connect, its authentication failure cache entry will be removed.

Complete list of changes is available here

Links & Credits

credcheck is an open project under the PostgreSQL license originally created at MigOps Inc, developed and maintained by Gilles Darold. Any contribution to build a better tool is welcome. You can send your ideas, features requests or patches using the GitHub tools.

Links :

About credcheck

The credcheck extension is an original work of MigOps Inc, Since MigOPs is closed Gilles Darold is the official maintainer. If you need more information please contact me

Documentation at