v.22.10Improvement

Add allow_implicit_no_password Setting to Enforce Password Requirements

Published: November 25, 2025

Add setting allow_implicit_no_password: in combination with allow_no_password it forbids creating a user with no password unless IDENTIFIED WITH no_password is explicitly specified. #41341 (Nikolay Degterinsky).

Introduces the allow_implicit_no_password setting that, together with allow_no_password, prevents creating users without a password unless explicitly specified with IDENTIFIED WITH no_password.

Why it matters

This feature enhances security by ensuring that users cannot be created without a password unintentionally. It requires explicit declaration for passwordless users, reducing the risk of unauthorized access due to implicit no-password user creation.

How to use it

To enable this feature, set allow_implicit_no_password to 0 (false) alongside allow_no_password. This combination forbids creating users without a password unless the user is explicitly created using IDENTIFIED WITH no_password syntax.

Related resources

Pull Request #41341