diff -c -r postgresql-8.5.orig/src/include/commands/user.h postgresql-8.5/src/include/commands/user.h
*** postgresql-8.5.orig/src/include/commands/user.h	2009-11-16 11:31:19.000000000 +0100
--- postgresql-8.5/src/include/commands/user.h	2009-11-17 13:01:06.000000000 +0100
***************
*** 13,18 ****
--- 13,21 ----
  
  #include "nodes/parsenodes.h"
  
+ /* Hook for plugins to check passwords in CreateRole() and AlterRole() */
+ typedef bool(*check_password_hook_type)(const char * username, const char * password, bool isencrypted);
+ extern PGDLLIMPORT check_password_hook_type check_password_hook;
  
  extern void CreateRole(CreateRoleStmt *stmt);
  extern void AlterRole(AlterRoleStmt *stmt);
diff -c -r postgresql-8.5.orig/src/backend/commands/user.c postgresql-8.5/src/backend/commands/user.c
*** postgresql-8.5.orig/src/backend/commands/user.c	2009-11-16 11:31:15.000000000 +0100
--- postgresql-8.5/src/backend/commands/user.c	2009-11-17 13:02:54.000000000 +0100
***************
*** 35,40 ****
--- 35,43 ----
  #include "utils/tqual.h"
  
  
+ /* Hook for plugins to check passwords in CreateRole() and AlterRole() */
+ PGDLLIMPORT check_password_hook_type check_password_hook = NULL;
+ 
  extern bool Password_encryption;
  
  static List *roleNamesToIds(List *memberNames);
***************
*** 299,304 ****
--- 302,318 ----
  						stmt->role)));
  
  	/*
+ 	 * Call the password checking function if there is one defined
+ 	 */
+ 	if (check_password_hook && password)
+ 	{
+ 		if (! (*check_password_hook)(stmt->role, password, isMD5(password)))
+ 			ereport(ERROR,
+ 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ 					 errmsg("password rejected as insecure")));
+ 	}
+ 
+ 	/*
  	 * Build a tuple to insert
  	 */
  	MemSet(new_record, 0, sizeof(new_record));
***************
*** 588,593 ****
--- 602,618 ----
  	}
  
  	/*
+ 	 * Call the password checking function if there is one defined
+ 	 */
+ 	if (check_password_hook && password)
+ 	{
+ 		if (! (*check_password_hook)(stmt->role, password, isMD5(password)))
+ 			ereport(ERROR,
+ 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ 					 errmsg("password rejected as insecure")));
+ 	}
+ 
+ 	/*
  	 * Build an updated tuple, perusing the information just obtained
  	 */
  	MemSet(new_record, 0, sizeof(new_record));