PostgreSQL 14 was recently released (2021-09-30), and set
password_encryption='scram-sha-256' as the default
password_encryption configuration value in
postgresql.conf (changed from
What it does: (source)
When a password is specified in CREATE ROLE or ALTER ROLE, this parameter determines the algorithm to use to encrypt the password. Possible values are
scram-sha-256, which will encrypt the password with SCRAM-SHA-256, and
md5, which stores the password as an MD5 hash. The default is
Note that older clients might lack support for the SCRAM authentication mechanism, and hence not work with passwords encrypted with SCRAM-SHA-256.
Further reference: https://www.postgresql.org/docs/current/auth-password.html
Any new users created or passwords changed with this parameter set to
scram-sha-256 will require updated client library/driver support for password authentication.
This parameter was initially available in PostgreSQL 10, but
scram-sha-256 has not been the default value until PostgreSQL 14. This change affects any downstream products using PostgreSQL as the underlying database, as well as the various client libraries and/or drivers supporting PostgreSQL connectivity, including libpq, ruby-pg, and epgsql.
Most upstream client libraries/drivers were updated to support SCRAM-SHA-256 for user authentication after the release of PostgreSQL 10, but many forked or pinned client libraries have not carried forward the necessary changes.
While resetting this parameter to
md5 will work as a workaround, this will become a particular issue where the customer operates an external database cluster, and/or customers wanting to eliminate use of MD5 password hashing for security or compliance reasons (e.g., FIPS).
Note: This is separate, but related to the
pg_hba.conf auth-method specification, which specifies the (minimum) authentication method to use when a connection matches that record. It permits continued use of existing MD5 password hashes from legacy client libraries/drivers, assuming the password is stored in MD5 format on the server, however, newer libraries/drivers will be needed if the password is updated and stored in in SCRAM format.
Per the link above:
To ease transition from the
md5method to the newer SCRAM method, if
md5is specified as a method in
pg_hba.confbut the user's password on the server is encrypted for SCRAM, then SCRAM-based authentication will automatically be chosen instead.