Hi,
recently one of dba course students informed me about problem of passwordcheck module.
I cannot imagine that it is not a known issue, but if this is the known issue, then passwordcheck module loses all its functionality.
Problem is, when a user changes its password via \password (psql meta command) command, it can set any simple password successfuly.
Tested in versions 14,15,16. same behavior.
Postgres must check the password before converting to hash, it is clear that after hash it cannot detect the weakness.
postgres=# select version();
version
---------------------------------------------------------------------------------------------------------
PostgreSQL 15.5 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-20), 64-bit
(1 row)
postgres=# show shared_preload_libraries;
shared_preload_libraries
-------------------------------
$libdir/passwordcheck,pgaudit
(1 row)
postgres=# create user test1 with password '1';
ERROR: password is too short
postgres=#
postgres=# \set VERBOSITY verbose
postgres=#
postgres=# create user test1;
CREATE ROLE
postgres=#
postgres=# \password test1
Enter new password for user "test1":
Enter it again:
postgres=#
postgres=# \set ECHO_HIDDEN on
postgres=#
postgres=#
postgres=# \password test1
Enter new password for user "test1":
Enter it again:
********* QUERY **********
ALTER USER test1 PASSWORD 'SCRAM-SHA-256$4096:8HfuUKZq5sm8cYQzuk16mA==$8UM1aksC3gc9t5P+Hi1HXZw4FVsPU+JAa9ieL/UaDKA=:bv5P+tMlIsRC9hL5Da+tTF1O3+CBkOhxdmBrD5Di1A0='
**************************
--