Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vAknM-005fVa-LZ for pgsql-announce@arkaria.postgresql.org; Mon, 20 Oct 2025 07:59:08 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1vAknL-00FIu9-Ip for pgsql-announce@arkaria.postgresql.org; Mon, 20 Oct 2025 07:59:06 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vAklT-00F6oi-S7 for pgsql-announce@lists.postgresql.org; Mon, 20 Oct 2025 07:57:10 +0000 Received: from mahout.postgresql.org ([2001:4800:3e1:1::227]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vAklQ-003BjL-0Q for pgsql-announce@lists.postgresql.org; Mon, 20 Oct 2025 07:57:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=postgresql.org; s=20171124; h=Message-ID:Date:Reply-To:From:To:Subject: MIME-Version:Content-Type:Sender:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=lqXBKcpOEKaFRmTe+o7lB8dzwuBXHgqn9I2nRPZhPUg=; b=FfH3rG0HXahNopXQJBH2CmmtbC HHbv7BM3qloKueasa77TQq5jL5geejwgV9HyM12xDxU+PJxv6ONhhDFZplA4vMZnsWei5gv5IuyQn wpw0sDpbQJVjY7+lYvunWZlCmTEHJahetFpHg76BFgW7QGigxFGxfo9B0vqu5MfiyaAmkRbRviiB2 c/902nLcuN3Wn0AsgldDPPR02ej6RP2/ikB8pKcsXM9qbGMuLn2SSdITfafeyM11cc19znwU6pqj4 fiHItU9cul1OSwoIWA9tBrh9uMJdlhgNaT2aXvqk/rrlki48LeKStvtDKZGqIhGNU7GQYo9X5BKWG 9iIqAeSA==; Received: from wrigleys.postgresql.org ([217.196.149.60]) by mahout.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vAklP-002jc5-OK for pgsql-announce@lists.postgresql.org; Mon, 20 Oct 2025 07:57:06 +0000 Received: from localhost ([127.0.0.1] helo=wrigleys.postgresql.org) by wrigleys.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vAklL-008hHM-1c for pgsql-announce@lists.postgresql.org; Mon, 20 Oct 2025 07:57:03 +0000 Content-Type: multipart/mixed; boundary="===============2127803805996910123==" MIME-Version: 1.0 Subject: credcheck v4.1 has been released To: PostgreSQL Announce From: HexaCluster via PostgreSQL Announce Reply-To: gilles@hexacluster.ai Date: Mon, 20 Oct 2025 07:56:45 +0000 Message-ID: <176094700574.761.8670043691265235442@wrigleys.postgresql.org> X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-pglister-tags: related X-pglister-tagsig: 5558454b2ff130dfd4073e242f811b8428ca22127690896aaccd19c8e552c5fa List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --===============2127803805996910123== Content-Type: multipart/alternative; boundary="===============5130866728744165651==" MIME-Version: 1.0 --===============5130866728744165651== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Durban, South Africa - October 19, 2025 ## PostgreSQL credcheck extension The credcheck PostgreSQL extension provides few general credential checks, = which will be evaluated during the user creation, during the password chang= e and user renaming. By using this extension, we can define a set of rules: * allow a specific set of credentials * reject a certain type of credentials * deny password that can be easily cracked * enforce use of an expiration date with a minimum of day for a password * define a password reuse policy * define the number of authentication failure allowed before a user is ba= nned * define a delay on authentication failures * force users to change their password after first login * throw a warning N days before when the password user is about to expire Release 4.1 has been published, it includes the following new features: * At user creation and password change, credcheck automatically set the VAL= ID UNTIL clause to `now() + credcheck.password_valid_until` days when it is= present in the statement. * Extend the functionality of 'username_contain' and 'username_not_contain' GUCs to allow users to use sub-strings instead of single characters only. * Add feature to send a warning to the user N days before his password expi= res. The number of days before can be set using the `credcheck.password_valid_= warning` setting. It is disabled by default. This is done using an event trigger u= p on login. The point is that the trigger must be set manually in all databases where= you want enable this feature. * Change the pg_banned_role view to display the rolename instead of the rol= e oid. * No more error are thrown when no VALID UNTIL clause are used in the CREATE/ALTER ROLE statements. It is set automatically when configuration directive password_valid_until is set to a value greater than 0. * Prevent first login feature to be applied to white listed username. * Add CI tests to automatically test credcheck with PostgreSQL > 13 * Add force password change at first logging feature. This feature allow to= force the users to change their password after the account creation. This behavior = is active when `credcheck.password_change_first_login` is enabled. It is also possi= ble force any user to renew his password at any time using: ALTER USER user1 SET credcheck_internal.force_change_password =3D true; The release note of version 3.0 has never been published so we summarize he= re the new feature brings by this version. * Add new configuration variable to exclude some users from being banned. With `credcheck.whitelist_auth_failure` you can set a whitelist of userna= mes that must be excluded from this behavior. Example of use: credcheck.whitelist_auth_failure =3D 'appuser1,appuser2' Upgrade require a PostgreSQL restart to reload the credcheck library. Complete list of changes is available [here](https://github.com/HexaCluster= /credcheck/releases/tag/v4.1) ## Links & Credits credcheck is an open project under the PostgreSQL license maintained by [He= xaCluster](https://github.com/HexaCluster/credcheck/). Any contribution to build a better tool is welcome. You can send your ideas= , features requests or patches using the GitHub tools. **Links :** * Download: [https://github.com/HexaCluster/credcheck/releases/](https://g= ithub.com/HexaCluster/credcheck/releases/) * Support: use GitHub report tool at [https://github.com/HexaCluster/credch= eck/issues](https://github.com/HexaCluster/credcheck/issues) ## About credcheck The credcheck extension is an original work of MigOps Inc, Since MigOPs is = closed the extension is developed and maintained by Gilles Darold at [https= ://hexacluster.ai](HexaCluster Corp). If you need more information please [= https://hexacluster.ai/contact-us/](contact us). Documentation at [https://github.com/HexaCluster/credcheck#readme](https://= github.com/HexaCluster/credcheck#readme) --===============5130866728744165651== Content-Type: text/html; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable credcheck v4.1 has been released
 

credcheck v4.1 has been released

Durban, South Africa - October 19, 2025

PostgreSQL credcheck extension<= /h2>

The credcheck PostgreSQL extension provides= few general credential checks, which will be evaluated during the user cre= ation, during the password change and user renaming. By using this extensio= n, we can define a set of rules:

  • allow a specifi= c set of credentials
  • reject a certai= n type of credentials
  • deny password t= hat can be easily cracked
  • enforce use of = an expiration date with a minimum of day for a password
  • define a passwo= rd reuse policy
  • define the numb= er of authentication failure allowed before a user is banned
  • define a delay = on authentication failures
  • force users to = change their password after first login
  • throw a warning= N days before when the password user is about to expire

Release 4.1 has been published, it includes= the following new features:

  • At user creatio= n and password change, credcheck automatically set the VALID UNTIL clause t= o now() + credcheck.password_valid_until days when it is prese= nt in the statement.
  • Extend the func= tionality of 'username_contain' and 'username_not_contain' GUCs to allow users to use sub-strings instead of single characters only.=
  • Add feature to = send a warning to the user N days before his password expires. The number of days before can be set using the credcheck.password_v= alid_warning setting. It is disabled by default. This is done using an event trigger u= p on login. The point is that the trigger must be set manually in all databases where= you want enable this feature.
  • Change the pg_b= anned_role view to display the rolename instead of the role oid.
  • No more error a= re thrown when no VALID UNTIL clause are used in the CREATE/ALTER ROLE statements. It is set automatically when configuration directive password_valid_until is set to a value greater than 0.
  • Prevent first l= ogin feature to be applied to white listed username.
  • Add CI tests to= automatically test credcheck with PostgreSQL > 13
  • Add force passw= ord change at first logging feature. This feature allow to force the users to change their password after the account creation. This behavior = is active when credcheck.password_change_first_login is enabled. It is= also possible force any user to renew his password at any time using:
    ALTER USER user1 =
SET credcheck_internal.force_change_password =3D true;

The release note of version 3.0 has never b= een published so we summarize here the new feature brings by this version.

  • Add new configuration variable to exclude s= ome users from being banned. With credcheck.whitelist_auth_failure you can set a whitelis= t of usernames that must be excluded from this behavior. Example of use:

    credcheck.whitelist_auth_failure =3D 'appus= er1,appuser2'

Upgrade require a PostgreSQL restart to rel= oad the credcheck library.

Complete list of changes is available here

Links & Credits

credcheck is an open project under the Post= greSQL license maintained by HexaCluster. Any contribution to build a better tool is welcome. You can send your ideas= , features requests or patches using the GitHub tools.

Links :

About credcheck

The credcheck extension is an original work= of MigOps Inc, Since MigOPs is closed the extension is developed and maint= ained by Gilles Darold at https://hexacluster.ai. If you need more information please https://hexacluster.ai/= contact-us/.

Documentation at https://github.com/HexaCluster/credcheck#readme
This email was sent to you from HexaCluster. It was delivered on their beha= lf by the PostgreSQL project. Any questions about the content of the message shou= ld be sent to HexaCluster.

You were sent this email as a subscriber of the pgsql-announce mai= linglist, for the content tag Related Open Source. To unsubscribe from further emails, or change which emails you want to receive, please click th= e personal unsubscribe link that you can find in the headers of this email, or visit https://lists.postgresql.org/unsubscribe/.
 
--===============5130866728744165651==-- --===============2127803805996910123==--