Manage built-in authentication using password policies

This page describes how you can set and manage password policies for database users of your AlloyDB for PostgreSQL instances.

For an overview of authentication methods available in AlloyDB, see Authentication.

About password policies

If your application's database users authenticate with your AlloyDB instances using the built-in, password-based method, then you can make authentication more secure by enforcing the use of stronger passwords. You can define and enable such enforcement by setting password policies on your instances, as described later on this page.

Limitations of password policies

AlloyDB password policies have the following limitations:

  • Password policies apply only to passwords created after you set the policies. Existing user passwords aren't affected by a change in password policy.

  • Password policies apply only to passwords entered as plain text. Password policies don't apply to passwords entered as already-encrypted strings.

Set an instance password policy

You can set a password policy on an instance by setting instance flags as described in this section.

A password policy for an instance can include the following options:

  • Disallow username: prevent the use of the username in the password.
  • Password complexity: check if the password contains the allowed number of lowercase, uppercase, numeric, and non-alphanumeric characters. Also check if the password length is valid.
  • Password expiry: make sure that passwords are rotated periodically.

For a list of all password policy flags that AlloyDB supports, see Password policy flags.

Enforce password complexity

To enforce a password-complexity policy, do the following:

  1. Set the password.enforce_complexity flag to ON.
  2. Use various password policy flags to define your complexity policy.

For example, to enforce the password policy rule when a valid password must contain at least one uppercase letter, one number, and be at least 10 characters long, in addition to setting password.enforce_complexity to ON, you must set the following flags:

  • password.min_uppercase_letters flag to 1
  • password.min_numerical_chars flag to 1
  • password.min_length flag to 10

After you specify all these flags, an attempt to set a database user password that doesn't comply with the password policy is rejected due to insufficient complexity. If you run a command like the following using the psql client, the command fails: CREATE USER USERNAME WITH PASSWORD NOTCOMPLEXENOUGH;.

Enforce password expiration

To enforce the password expiration policy, do the following:

  1. Set the password.enforce_expiration flag to ON.
  2. Set the password.expiration_in_days flag to the number of days when the password expires.
  3. Set the password.notify_expiration_in_days flag to the number of days when a user starts receiving notifications that their password is about to expire.

For example, to turn on password expiration, set the password.enforce_expiration flag to ON, which sets passwords to expire after 90 days which is the default value of the password.expiration_in_days flag. To notify a user about a password expiration, use the password.notify_expiration_in_days flag whose default value is 30 days. If a password expires, the user can no longer connect to the AlloyDB instance. They must reset their password following instructions in Change the password of a database user.

Disallow usernames in passwords

To enforce the policy against usernames in passwords, do the following:

For example, to ensure that a password does not contain a username as a substring, set the password.enforce_password_does_not_contain_username to ON. As a result, such password operation as CREATE USER Alex WITH PASSWORD 'alex-secret'; will fail.

What's next