credcheck v4.1 has been released - HexaCluster via PostgreSQL Announce

public inbox for [email protected]  
help / color / mirror / Atom feed

From: HexaCluster via PostgreSQL Announce <[email protected]>
To: PostgreSQL Announce <[email protected]>
Subject: credcheck v4.1 has been released
Date: Mon, 20 Oct 2025 07:56:45 +0000
Message-ID: <[email protected]> (raw)

Durban, South Africa - October 19, 2025

## PostgreSQL credcheck extension

The credcheck PostgreSQL extension provides few general credential checks, which will be evaluated during the user creation, during the password change and user renaming. By using this extension, we can define a set of rules:

  * allow a specific set of credentials
  * reject a certain type of credentials
  * deny password that can be easily cracked
  * enforce use of an expiration date with a minimum of day for a password
  * define a password reuse policy
  * define the number of authentication failure allowed before a user is banned
  * define a delay on authentication failures
  * force users to change their password after first login
  * throw a warning N days before when the password user is about to expire

Release 4.1 has been published, it includes the following new features:

* At user creation and password change, credcheck automatically set the VALID UNTIL clause to `now() + credcheck.password_valid_until` days when it is present in the statement.
* Extend the functionality of 'username_contain' and 'username_not_contain'
  GUCs to allow users to use sub-strings instead of single characters only.
* Add feature to send a warning to the user N days before his password expires.
  The number of days before can be set using the `credcheck.password_valid_warning`
  setting. It is disabled by default. This is done using an event trigger up on login.
  The point is that the trigger must be set manually in all databases where you want
  enable this feature.
* Change the pg_banned_role view to display the rolename instead of the role oid.
* No more error are thrown when no VALID UNTIL clause are used in the
    CREATE/ALTER ROLE statements. It is set automatically when configuration
    directive password_valid_until is set to a value greater than 0.
* Prevent first login feature to be applied to white listed username.
* Add CI tests to automatically test credcheck with PostgreSQL > 13
* Add force password change at first logging feature. This feature allow to force the
  users to change their password after the account creation. This behavior is active
  when `credcheck.password_change_first_login` is enabled. It is also possible force any
  user to renew his password at any time using:

    	ALTER USER user1 SET credcheck_internal.force_change_password = true;

The release note of version 3.0 has never been published so we summarize here the new feature
brings by this version.

* Add new configuration variable to exclude some users from being banned.
  With `credcheck.whitelist_auth_failure` you can set a whitelist of usernames
  that must be excluded from this behavior. Example of use:

	credcheck.whitelist_auth_failure = 'appuser1,appuser2'

Upgrade require a PostgreSQL restart to reload the credcheck library.

Complete list of changes is available [here](https://github.com/HexaCluster/credcheck/releases/tag/v4.1)

## Links & Credits

credcheck is an open project under the PostgreSQL license maintained by [HexaCluster](https://github.com/HexaCluster/credcheck/).
Any contribution to build a better tool is welcome. You can send your ideas, features requests or patches
using the GitHub tools.

**Links :**

* Download:  [https://github.com/HexaCluster/credcheck/releases/](https://github.com/HexaCluster/credcheck/releases/)
* Support: use GitHub report tool at [https://github.com/HexaCluster/credcheck/issues](https://github.com/HexaCluster/credcheck/issues)

## About credcheck

The credcheck extension is an original work of MigOps Inc, Since MigOPs is closed the extension is developed and maintained by Gilles Darold at [https://hexacluster.ai](HexaCluster Corp). If you need more information please [https://hexacluster.ai/contact-us/](contact us).

Documentation at [https://github.com/HexaCluster/credcheck#readme](https://github.com/HexaCluster/credcheck#readme)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: credcheck v4.1 has been released
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox