Durban, South Africa - October 19, 2025
## PostgreSQL credcheck extension
The credcheck PostgreSQL extension provides few general credential checks,
which will be evaluated during the user creation, during the password change
and user renaming. By using this extension, we can define a set of rules:
* allow a specific set of credentials
* reject a certain type of credentials
* deny password that can be easily cracked
* enforce use of an expiration date with a minimum of day for a password
* define a password reuse policy
* define the number of authentication failure allowed before a user is banned
* define a delay on authentication failures
* force users to change their password after first login
* throw a warning N days before when the password user is about to expire
Release 4.1 has been published, it includes the following new features:
* At user creation and password change, credcheck automatically set the VALID
UNTIL clause to `now() + credcheck.password_valid_until` days when it is
present in the statement.
* Extend the functionality of 'username_contain' and 'username_not_contain'
GUCs to allow users to use sub-strings instead of single characters only.
* Add feature to send a warning to the user N days before his password expires.
The number of days before can be set using the
`credcheck.password_valid_warning`
setting. It is disabled by default. This is done using an event trigger up on
login.
The point is that the trigger must be set manually in all databases where you
want
enable this feature.
* Change the pg_banned_role view to display the rolename instead of the role
oid.
* No more error are thrown when no VALID UNTIL clause are used in the
CREATE/ALTER ROLE statements. It is set automatically when configuration
directive password_valid_until is set to a value greater than 0.
* Prevent first login feature to be applied to white listed username.
* Add CI tests to automatically test credcheck with PostgreSQL > 13
* Add force password change at first logging feature. This feature allow to
force the
users to change their password after the account creation. This behavior is
active
when `credcheck.password_change_first_login` is enabled. It is also possible
force any
user to renew his password at any time using:
ALTER USER user1 SET credcheck_internal.force_change_password = true;
The release note of version 3.0 has never been published so we summarize here
the new feature
brings by this version.
* Add new configuration variable to exclude some users from being banned.
With `credcheck.whitelist_auth_failure` you can set a whitelist of usernames
that must be excluded from this behavior. Example of use:
credcheck.whitelist_auth_failure = 'appuser1,appuser2'
Upgrade require a PostgreSQL restart to reload the credcheck library.
Complete list of changes is available
[here](https://github.com/HexaCluster/credcheck/releases/tag/v4.1)
## Links & Credits
credcheck is an open project under the PostgreSQL license maintained by
[HexaCluster](https://github.com/HexaCluster/credcheck/).
Any contribution to build a better tool is welcome. You can send your ideas,
features requests or patches
using the GitHub tools.
**Links :**
* Download:
[https://github.com/HexaCluster/credcheck/releases/](https://github.com/HexaCluster/credcheck/releases/)
* Support: use GitHub report tool at
[https://github.com/HexaCluster/credcheck/issues](https://github.com/HexaCluster/credcheck/issues)
## About credcheck
The credcheck extension is an original work of MigOps Inc, Since MigOPs is
closed the extension is developed and maintained by Gilles Darold at
[https://hexacluster.ai](HexaCluster Corp). If you need more information please
[https://hexacluster.ai/contact-us/](contact us).
Documentation at
[https://github.com/HexaCluster/credcheck#readme](https://github.com/HexaCluster/credcheck#readme)
