Martin Goodson <kaemaril@xxxxxxxxxxxxxx> writes: > Recently our security team have wanted to apply password complexity > checks akin to Oracle's profile mechanism to PostgreSQL, checking that a > password hasn't been used in x months etc, has minimum length, x special > characters and x numeric characters, mixed case etc. Don't suppose it would help to push back on whether your security team knows what they're doing. The really key reason why server-side password checks are not as bright an idea as they sound is that they cannot be implemented without forcing the client to transmit the password in cleartext. It's widely considered best practice if the server *never* sees the user's cleartext password, because then it can't leak, either from sniffing the connection or scraping the postmaster log. I believe that practices such as forcing a password change every X amount of time are not viewed as favorably as they once were, either. (The argument is that that discourages users from putting any serious thought into choosing an uncrackable password, and might well encourage them to write down their current and last few passwords somewhere.) Anyway, considerations like these are why there's not features of this sort in community PG. You can use an extension that applies some checks, but there's no good way around the "needs cleartext password" problem for that. regards, tom lane
