1 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>20.5. Password Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="auth-trust.html" title="20.4. Trust Authentication" /><link rel="next" href="gssapi-auth.html" title="20.6. GSSAPI Authentication" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">20.5. Password Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="auth-trust.html" title="20.4. Trust Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 20. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="gssapi-auth.html" title="20.6. GSSAPI Authentication">Next</a></td></tr></table><hr /></div><div class="sect1" id="AUTH-PASSWORD"><div class="titlepage"><div><div><h2 class="title" style="clear: both">20.5. Password Authentication <a href="#AUTH-PASSWORD" class="id_link">#</a></h2></div></div></div><a id="id-1.6.7.12.2" class="indexterm"></a><a id="id-1.6.7.12.3" class="indexterm"></a><a id="id-1.6.7.12.4" class="indexterm"></a><p>
3 There are several password-based authentication methods. These methods
4 operate similarly but differ in how the users' passwords are stored on the
5 server and how the password provided by a client is sent across the
7 </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">scram-sha-256</code></span></dt><dd><p>
8 The method <code class="literal">scram-sha-256</code> performs SCRAM-SHA-256
9 authentication, as described in
10 <a class="ulink" href="https://datatracker.ietf.org/doc/html/rfc7677" target="_top">RFC 7677</a>. It
11 is a challenge-response scheme that prevents password sniffing on
12 untrusted connections and supports storing passwords on the server in a
13 cryptographically hashed form that is thought to be secure.
15 This is the most secure of the currently provided methods, but it is
16 not supported by older client libraries.
17 </p></dd><dt><span class="term"><code class="literal">md5</code></span></dt><dd><p>
18 The method <code class="literal">md5</code> uses a custom less secure challenge-response
19 mechanism. It prevents password sniffing and avoids storing passwords
20 on the server in plain text but provides no protection if an attacker
21 manages to steal the password hash from the server. Also, the MD5 hash
22 algorithm is nowadays no longer considered secure against determined
25 To ease transition from the <code class="literal">md5</code> method to the newer
26 SCRAM method, if <code class="literal">md5</code> is specified as a method
27 in <code class="filename">pg_hba.conf</code> but the user's password on the
28 server is encrypted for SCRAM (see below), then SCRAM-based
29 authentication will automatically be chosen instead.
30 </p><div class="warning"><h3 class="title">Warning</h3><p>
31 Support for MD5-encrypted passwords is deprecated and will be removed
32 in a future release of <span class="productname">PostgreSQL</span>. Refer to
33 the text below for details about migrating to another password type.
34 </p></div></dd><dt><span class="term"><code class="literal">password</code></span></dt><dd><p>
35 The method <code class="literal">password</code> sends the password in clear-text and is
36 therefore vulnerable to password <span class="quote">“<span class="quote">sniffing</span>”</span> attacks. It should
37 always be avoided if possible. If the connection is protected by SSL
38 encryption then <code class="literal">password</code> can be used safely, though.
39 (Though SSL certificate authentication might be a better choice if one
40 is depending on using SSL).
41 </p></dd></dl></div><p>
42 <span class="productname">PostgreSQL</span> database passwords are
43 separate from operating system user passwords. The password for
44 each database user is stored in the <code class="literal">pg_authid</code> system
45 catalog. Passwords can be managed with the SQL commands
46 <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a> and
47 <a class="xref" href="sql-alterrole.html" title="ALTER ROLE"><span class="refentrytitle">ALTER ROLE</span></a>,
48 e.g., <strong class="userinput"><code>CREATE ROLE foo WITH LOGIN PASSWORD 'secret'</code></strong>,
49 or the <span class="application">psql</span>
50 command <code class="literal">\password</code>.
51 If no password has been set up for a user, the stored password
52 is null and password authentication will always fail for that user.
54 The availability of the different password-based authentication methods
55 depends on how a user's password on the server is encrypted (or hashed,
56 more accurately). This is controlled by the configuration
57 parameter <a class="xref" href="runtime-config-connection.html#GUC-PASSWORD-ENCRYPTION">password_encryption</a> at the time the
58 password is set. If a password was encrypted using
59 the <code class="literal">scram-sha-256</code> setting, then it can be used for the
60 authentication methods <code class="literal">scram-sha-256</code>
61 and <code class="literal">password</code> (but password transmission will be in
62 plain text in the latter case). The authentication method
63 specification <code class="literal">md5</code> will automatically switch to using
64 the <code class="literal">scram-sha-256</code> method in this case, as explained
65 above, so it will also work. If a password was encrypted using
66 the <code class="literal">md5</code> setting, then it can be used only for
67 the <code class="literal">md5</code> and <code class="literal">password</code> authentication
68 method specifications (again, with the password transmitted in plain text
69 in the latter case). (Previous PostgreSQL releases supported storing the
70 password on the server in plain text. This is no longer possible.) To
71 check the currently stored password hashes, see the system
72 catalog <code class="literal">pg_authid</code>.
74 To upgrade an existing installation from <code class="literal">md5</code>
75 to <code class="literal">scram-sha-256</code>, after having ensured that all client
76 libraries in use are new enough to support SCRAM,
77 set <code class="literal">password_encryption = 'scram-sha-256'</code>
78 in <code class="filename">postgresql.conf</code>, make all users set new passwords,
79 and change the authentication method specifications
80 in <code class="filename">pg_hba.conf</code> to <code class="literal">scram-sha-256</code>.
81 </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="auth-trust.html" title="20.4. Trust Authentication">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="gssapi-auth.html" title="20.6. GSSAPI Authentication">Next</a></td></tr><tr><td width="40%" align="left" valign="top">20.4. Trust Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 20.6. GSSAPI Authentication</td></tr></table></div></body></html>
begriffs.com / projects / ai-pg / blob