2 20.5. Password Authentication #
4 There are several password-based authentication methods. These methods
5 operate similarly but differ in how the users' passwords are stored on
6 the server and how the password provided by a client is sent across the
10 The method scram-sha-256 performs SCRAM-SHA-256 authentication,
11 as described in RFC 7677. It is a challenge-response scheme that
12 prevents password sniffing on untrusted connections and supports
13 storing passwords on the server in a cryptographically hashed
14 form that is thought to be secure.
16 This is the most secure of the currently provided methods, but
17 it is not supported by older client libraries.
20 The method md5 uses a custom less secure challenge-response
21 mechanism. It prevents password sniffing and avoids storing
22 passwords on the server in plain text but provides no protection
23 if an attacker manages to steal the password hash from the
24 server. Also, the MD5 hash algorithm is nowadays no longer
25 considered secure against determined attacks.
27 To ease transition from the md5 method to the newer SCRAM
28 method, if md5 is specified as a method in pg_hba.conf but the
29 user's password on the server is encrypted for SCRAM (see
30 below), then SCRAM-based authentication will automatically be
35 Support for MD5-encrypted passwords is deprecated and will be
36 removed in a future release of PostgreSQL. Refer to the text
37 below for details about migrating to another password type.
40 The method password sends the password in clear-text and is
41 therefore vulnerable to password “sniffing” attacks. It should
42 always be avoided if possible. If the connection is protected by
43 SSL encryption then password can be used safely, though. (Though
44 SSL certificate authentication might be a better choice if one
45 is depending on using SSL).
47 PostgreSQL database passwords are separate from operating system user
48 passwords. The password for each database user is stored in the
49 pg_authid system catalog. Passwords can be managed with the SQL
50 commands CREATE ROLE and ALTER ROLE, e.g., CREATE ROLE foo WITH LOGIN
51 PASSWORD 'secret', or the psql command \password. If no password has
52 been set up for a user, the stored password is null and password
53 authentication will always fail for that user.
55 The availability of the different password-based authentication methods
56 depends on how a user's password on the server is encrypted (or hashed,
57 more accurately). This is controlled by the configuration parameter
58 password_encryption at the time the password is set. If a password was
59 encrypted using the scram-sha-256 setting, then it can be used for the
60 authentication methods scram-sha-256 and password (but password
61 transmission will be in plain text in the latter case). The
62 authentication method specification md5 will automatically switch to
63 using the scram-sha-256 method in this case, as explained above, so it
64 will also work. If a password was encrypted using the md5 setting, then
65 it can be used only for the md5 and password authentication method
66 specifications (again, with the password transmitted in plain text in
67 the latter case). (Previous PostgreSQL releases supported storing the
68 password on the server in plain text. This is no longer possible.) To
69 check the currently stored password hashes, see the system catalog
72 To upgrade an existing installation from md5 to scram-sha-256, after
73 having ensured that all client libraries in use are new enough to
74 support SCRAM, set password_encryption = 'scram-sha-256' in
75 postgresql.conf, make all users set new passwords, and change the
76 authentication method specifications in pg_hba.conf to scram-sha-256.
begriffs.com / projects / ai-pg / blob