Check Password Security

This document describes the usage scenarios, methods, and limitations of the PasswordCheck plugin. PasswordCheck is a plugin included with the PostgreSQL kernel for checking the security of user passwords. Using this feature helps prevent weak password issues and improves the security of your database system.

Usage scenarios

When you set a password using SQL, such as with CREATE USER ... PASSWORD or ALTER USER ... PASSWORD, the password’s security is checked. The weak password check covers the following aspects:

The password must be longer than 8 characters.
The password must not contain the user name.
The password must contain both alphabetic and non-alphabetic characters.

How to use

To use the PasswordCheck plugin, choose one of the following methods:

Before starting the SynxDB cluster, manually edit the postgresql.conf file. Set the value of the shared_preload_libraries configuration parameter to passwordcheck and save the file. The PasswordCheck plugin will be loaded automatically when the cluster starts.
After the SynxDB cluster is running, use the following command to modify the shared_preload_libraries configuration parameter, and then restart the cluster:
```
gpconfig -c shared_preload_libraries -v 'passwordcheck'
gpstop -ra
```

After the configuration is complete, PasswordCheck will perform a weak password check every time a password is set.

Limitations

PasswordCheck only supports weak password checks on unencrypted passwords; it does not support checks on encrypted passwords. For passwords encrypted with the MD5 or SCRAM algorithm, PasswordCheck only checks if the password is the same as the user name.