April 06, 2023
## PostgreSQL credcheck extension
The credcheck PostgreSQL extension provides general credential checks, which
will be evaluated during the user creation, during the password change and user
renaming. By using this extension, a set of rules can be defined:
* allow a specific set of credentials
* reject a certain type of credentials
* enforce use of an expiration date with a minimum of day for a password
* define a password reuse policy
New release v1.0 adds a major feature called **Password Reuse Policy** and the
ability to force the use of an expiration date for a password. It also prevent
PostgreSQL to expose the password in the logs in case of error and fixes some
issues reported by users since the past 6 months.
* Add Password Reuse Policy feature. This implementation use a dedicated shared
memory storage to share the password history between all database. It requires
credcheck to loaded through `shared_preload_libraries` in postgresql.conf. The
behavior of this feature can controlled by two settings:
* `credcheck.password_reuse_history`: number of distinct passwords set
before a password can be reused.
* `credcheck.password_reuse_interval`: amount of time it takes before a
password can be reused again.
* Add possibility to enforce the use of an expiration date for a password with
a life time of a specific number of days. Example:
`credcheck.password_valid_until = 60` the password life time must be at least
of two months.
* Allow credcheck to check the user name in `CREATE USER` statement without
option `PASSWORD`.
* Force credcheck settings to be set/changed only by a superuser.
* Fix detection of the `VALID UNTIL` clause in `CREATE ROLE`.
* Force PostgreSQL to not expose the password in the log when an error in
CREATE/ALTER role occurs. This behavior can be disabled by setting the custom
variable `credcheck.no_password_logging` to off.
* Use errcode `ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION (28000)` for most
error messages.
Complete list of changes is available
[here](https://github.com/MigOpsRepos/credcheck/blob/v1.0/ChangeLog)
## Links & Credits
credcheck is an open project under the PostgreSQL license created at [MigOps
Inc](https://migops.com/).
Any contribution to build a better tool is welcome. You can send your ideas,
features requests or patches
using the GitHub tools.
* Download:
[https://github.com/MigOpsRepos/credcheck/releases/](https://github.com/MigOpsRepos/credcheck/releases/)
* Support: use GitHub report tool at
[https://github.com/MigOpsRepos/credcheck/issues](https://github.com/MigOpsRepos/credcheck/issues)
## About credcheck
The credcheck extension is an original work of [MigOps
Inc](https://migops.com/), MigOPs is specialized in migration to PostgreSQL and
PostgreSQL support. If you need more information please [contact
us](https://www.migops.com/contact-us/)
Documentation at
[https://github.com/MigOpsRepos/credcheck#readme](https://github.com/MigOpsRepos/credcheck#readme)
