Manage built-in authentication using password policies

This page describes how you can set and manage password policies for database users of your AlloyDB for PostgreSQL instances.

For an overview of authentication methods available in AlloyDB, see Authentication.

About password policies

If your application's database users authenticate with your AlloyDB instances using the built-in, password-based method, then you can make authentication more secure by enforcing strong passwords. You can define and enable password enforcement by setting a password policy on your instances.

Limitations of password policies

AlloyDB password policies have the following limitations:

• Password policies apply to passwords created only after you set the policies. Existing user passwords aren't affected by a change in password policy.

• Password policies apply to passwords entered only as plain text. Password policies don't apply to passwords entered as encrypted strings.

Set an instance password policy

You can set a password policy on an instance by configuring password flags on an instance.

• Disallow username: prevent the username from being used in the password.

• Password complexity: check if the password contains the allowed number of lowercase, uppercase, numeric, and non-alphanumeric characters. Also check if the password length is valid.

• Password expiry: make sure that passwords are rotated periodically.

For a list of the password policy flags that AlloyDB supports, see Password policy flags.

Enforce password complexity

To enforce a password-complexity policy, do the following:

1. Set the password.enforce_complexity flag to ON.
2. Use password policy flags to define your password policy.

For example, to enforce a password policy that states a password must contain at least one uppercase letter, one number, and be at least 10 characters long, you must set the following flags:

• password.enforce_complexity to ON
• password.min_uppercase_letters flag to 1
• password.min_numerical_chars flag to 1
• password.min_pass_length flag to 10

After these flags are set, an attempt to set a database user password that doesn't comply with this password policy fails. For example, with this policy set, the following psql client command fails because the password foo is less than 10 characters and doesn't contain a number or an upper case character.

CREATE USER USERNAME WITH PASSWORD 'foo';

Enforce password expiration

To enforce the password expiration policy, do the following:

1. Set the password.enforce_expiration flag to ON.

2. Set the password.expiration_in_days flag to the number of days after a password is set that it expires.

3. Set the password.notify_expiration_in_days flag to the number of days before a password expires that a user starts receiving password expiration notifications.

For example, to enforce a password policy that states passwords expire after 30 days and that users are notified 15 days before their password expires, you set the following:

• password.enforce_expiration to ON
• password.expiration_in_days flag to 30
• password.notify_expiration_in_days flag to 15

If the password of a user expires, that user can't connect to the AlloyDB Omni instance. To reset the password of a user, see Change the password of a database user.

Don't allow usernames in passwords

To enforce the policy that prevents a password from containing a username, do the following:

• Set the password.enforce_password_does_not_contain_username to ON.

For example, to ensure that a password doesn't contain a username as a substring, you set the following:

• password.enforce_password_does_not_contain_username to ON

If this flag is set, then the following operation fails because the password alex-secret contains the username Alex:

CREATE USER Alex WITH PASSWORD 'alex-secret';

What's next

• Manage AlloyDB user roles
• Manage IAM authentication