pass word check

The password check module checks user passwords whenever they are set via CREATE ROLE or ALTER ROLE. If a password is considered too weak, it will be rejected and the command will terminate with an error.

To enable this module, add '$libdir/pass word check' to shared_preload_libraries in postgresql.conf, then restart the server.

You can modify this module to suit your needs by editing the source code. For example, you can use CrackLib2 to check passwords — this simply requires uncommenting two lines in the Makefile and recompiling the module (due to licensing reasons, CrackLib cannot be included by default). Without CrackLib, the module enforces some simple rules for password strength, which can be modified and extended.

Caution: To prevent unencrypted passwords from being transmitted over the network, written to server logs, or stolen by a database administrator, Halo allows users to provide pre-encrypted passwords. Many client programs take advantage of this feature and encrypt the password before sending it to the server. This limits the usefulness of the password check module, because in this case it can only attempt to guess the password. For this reason, if your security requirements are high, we do not recommend password check. Alternatively, you can modify password check to reject pre-encrypted passwords, but forcing users to set passwords in plaintext introduces its own security risks.