What is this issue?
PostgreSQL supports two password authentication methods:
- MD5: Legacy, cryptographically broken
- SCRAM-SHA-256: Modern, secure (default since PostgreSQL 14)
MD5 vulnerabilities:
- Susceptible to rainbow table attacks
- Vulnerable to replay attacks
- Collision attacks are practical
- Does not use salting properly
An attacker who captures the MD5 hash can potentially:
- Use rainbow tables to find passwords
- Replay authentication tokens
- Brute force weak passwords quickly
Why it matters
Credential Theft
Captured MD5 hashes can be cracked offline
Replay Attacks
Authentication can be replayed without knowing the password
Compliance
MD5 fails modern security compliance requirements
Industry Standard
SCRAM-SHA-256 is the expected standard
How PG Pilot detects it
```sql SELECT name, setting FROM pg_settings WHERE name = 'password_encryption'; ```
How to fix it
Change the encryption setting
Set the server to use SCRAM-SHA-256:
ALTER SYSTEM SET password_encryption = 'scram-sha-256';
SELECT pg_reload_conf();Reset user passwords
Existing MD5-hashed passwords must be reset:
-- For each user
ALTER USER username PASSWORD 'new_password';Or have users change their own passwords.
Update pg_hba.conf
Change authentication method from md5 to scram-sha-256:
# Before
host all all 0.0.0.0/0 md5
# After
host all all 0.0.0.0/0 scram-sha-256
Then reload: SELECT pg_reload_conf();
Update client applications
Ensure all clients support SCRAM:
- libpq 10+ supports SCRAM
- Most modern drivers support SCRAM
- Update connection strings if needed
Prevention
- Set password_encryption = 'scram-sha-256' in postgresql.conf
- Use scram-sha-256 in pg_hba.conf
- Audit authentication methods regularly
- Keep PostgreSQL and client libraries updated