How to set password encryption method in PostgreSQL

Choosing a strong password hashing method reduces the damage from leaked credentials by making offline cracking substantially harder and slowing down brute force attacks against stored hashes.

PostgreSQL stores role password verifiers in its system catalogs and consults the password_encryption setting whenever a password is set using CREATE ROLE, ALTER ROLE, or the psql \password command. Modern deployments typically prefer scram-sha-256, while md5 remains a legacy option for older compatibility needs.

Changing password_encryption only affects newly-set passwords, so existing roles are not automatically upgraded to the stronger format. Moving to scram-sha-256 also requires compatible client libraries and matching pg_hba.conf authentication rules, otherwise logins can fail after passwords are reset.

Steps to set password encryption method in PostgreSQL:

Confirm the PostgreSQL server version supports scram-sha-256.
```
$ sudo -u postgres psql -Atc "SHOW server_version;"
16.2
```
scram-sha-256 password encryption and authentication are available in PostgreSQL 10 and later.

Check the current password_encryption value.

$ sudo -u postgres psql -Atc "SHOW password_encryption;"
scram-sha-256

Find the active pg_hba.conf location.

$ sudo -u postgres psql -Atc "SHOW hba_file;"
/etc/postgresql/16/main/pg_hba.conf

Set the relevant password authentication rules in pg_hba.conf to scram-sha-256.
```
host    all     all     10.0.0.0/8     scram-sha-256
```
Incorrect pg_hba.conf rules can lock out remote logins, so keep a working local superuser access path before reloading.

Related: [DRAFT] How to configure pg_hba.conf in PostgreSQL

Find the active postgresql.conf location.

$ sudo -u postgres psql -Atc "SHOW config_file;"
/etc/postgresql/16/main/postgresql.conf

Set password_encryption to scram-sha-256 in postgresql.conf.
```
password_encryption = 'scram-sha-256'
```

Reload PostgreSQL configuration to apply the updated settings.

$ sudo -u postgres psql -c "SELECT pg_reload_conf();"
 pg_reload_conf
---------------
 t
(1 row)

Confirm password_encryption is active and loaded from the expected source.

$ sudo -u postgres psql -Atc "SELECT setting, source, sourcefile, sourceline FROM pg_settings WHERE name='password_encryption';"
scram-sha-256|configuration file|/etc/postgresql/16/main/postgresql.conf|##### snipped #####

Reset role passwords that must be stored using the new method.
```
$ sudo -u postgres psql -c "ALTER ROLE appuser PASSWORD 'NewStrongPasswordHere';"
ALTER ROLE
```
Placing passwords on a command line can leak them via shell history or process listings, so prefer setting passwords from an interactive psql session where possible.

Verify the role password is stored as a SCRAM-SHA-256 secret.

$ sudo -u postgres psql -Atc "SELECT rolname, rolpassword LIKE 'SCRAM-SHA-256$%' AS uses_scram FROM pg_authid WHERE rolname='appuser';"
appuser|t

Test a TCP login using the updated pg_hba.conf rules.

$ psql -h 127.0.0.1 -U appuser postgres
Password for user appuser:
psql (16.2)
Type "help" for help.

postgres=> \conninfo
You are connected to database "postgres" as user "appuser" on host "127.0.0.1" at port "5432".
postgres=> \q

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.