How to set password encryption method in PostgreSQL

Choosing a strong password hashing method reduces the damage from leaked credentials by making offline cracking substantially harder and slowing down brute force attacks against stored hashes.

PostgreSQL stores role password verifiers in its system catalogs and consults the password_encryption setting whenever a password is set using CREATE ROLE, ALTER ROLE, or the psql \password command. Modern deployments typically prefer scram-sha-256, while md5 remains a legacy option for older compatibility needs.

Changing password_encryption only affects newly-set passwords, so existing roles are not automatically upgraded to the stronger format. Moving to scram-sha-256 also requires compatible client libraries and matching pg_hba.conf authentication rules, otherwise logins can fail after passwords are reset.

Related: How to configure pg_hba.conf in PostgreSQL \\
Related: How to secure a PostgreSQL server

Steps to set password encryption method in PostgreSQL:

  1. Confirm the PostgreSQL server version supports scram-sha-256. 
    $ sudo -u postgres psql -Atc "SHOW server_version;"
16.11 (Ubuntu 16.11-0ubuntu0.24.04.1)

    scram-sha-256 password encryption and authentication are available in PostgreSQL 10 and later.

  2. Check the current password_encryption value. 
    $ sudo -u postgres psql -Atc "SHOW password_encryption;"
scram-sha-256
  3. Find the active pg_hba.conf location. 
    $ sudo -u postgres psql -Atc "SHOW hba_file;"
/etc/postgresql/16/main/pg_hba.conf
  4. Set the relevant password authentication rules in pg_hba.conf to scram-sha-256. 
    host    all     all     192.0.2.0/24     scram-sha-256

    Incorrect pg_hba.conf rules can lock out remote logins, so keep a working local superuser access path before reloading.

    Related: How to configure pg_hba.conf in PostgreSQL

  5. Find the active postgresql.conf location. 
    $ sudo -u postgres psql -Atc "SHOW config_file;"
/etc/postgresql/16/main/postgresql.conf
  6. Set password_encryption to scram-sha-256 with a cluster-wide override. 
    $ sudo -u postgres psql -c "ALTER SYSTEM SET password_encryption = 'scram-sha-256';"
ALTER SYSTEM
  7. Reload PostgreSQL configuration to apply the updated settings. 
    $ sudo -u postgres psql -c "SELECT pg_reload_conf();"
 pg_reload_conf
---------------
 t
(1 row)
  8. Confirm password_encryption is active and loaded from the expected source. 
    $ sudo -u postgres psql -Atc "SELECT setting, source, sourcefile, sourceline FROM pg_settings WHERE name='password_encryption';"
scram-sha-256|configuration file|/var/lib/postgresql/16/main/postgresql.auto.conf|16
  9. Reset role passwords that must be stored using the new method. 
    $ sudo -u postgres psql -c "ALTER ROLE appuser PASSWORD 'S3curePass!2025';"
ALTER ROLE

    Placing passwords on a command line can leak them via shell history or process listings, so prefer setting passwords from an interactive psql session where possible.

  10. Verify the role password is stored as a SCRAM-SHA-256 secret. 
    $ sudo -u postgres psql -Atc "SELECT rolname, rolpassword LIKE 'SCRAM-SHA-256$%' AS uses_scram FROM pg_authid WHERE rolname='appuser';"
appuser|t
  11. Test a TCP login using the updated pg_hba.conf rules. 
    $ psql -h 127.0.0.1 -U appuser postgres -c "\conninfo"
You are connected to database "postgres" as user "appuser" on host "127.0.0.1" at port "5432".
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off)