Change PostgreSQL Password Authentication to SCRAM-SHA-256

By default (out-of-the-box installation), Postgres uses md5 encryption. Beginning with Postgres 10, you can change your PostgreSQL password authentication to SCRAM-SHA-256, which is a more secure authentication method than md5 and plain password.

This new method of password encryption is only available for qTest OnPremise versions 10.3 and later. In addition, this option is not supported by older versions of Postgres clients (such as JDBC driver or Postgres binaries tools such as Psql). You will need to update your client to the minimum version that supports SCRAM-SHA-256.

Following are steps to change your local PostgreSQL password authentication to SCRAM-SHA-256.

  1. Download and install a PostgreSQL management tool or you can use the tool that is embedded in your instance of IDE, pgAdmin, DBeaver, and so on.

  2. Connect the tool to your current database.

  3. Run the following query. This query displays your current password encryption method, such as md5.

    Copy 
    SHOW password_encryption;

  4. Run the following query. This query displays your current hashed password.

    Copy 
    SELECT rolpassword from pg_authid where rolname = '{your-db-user-name}';

  5. Run the following query. This query changes your current hashing method from md5 to SCRAM-SHA_256.

    Copy 
    SET password_encryption  = 'scram-sha-256';

  6. Run the following query. This query changes your current password to use the SCRAM-SHA-256 password encryption.

    Copy 
    ALTER USER "{your-db-user-name}" with password '{your-new-db-password}';

  7. Run the following query again. The query now displays your password in SCRAM-SHA-256 format.

    Copy 
    SELECT rolpassword from pg_authid where rolname = '{your-db-user-name}';

  8. Open the PostgreSQL.conf file. Then change the password_encryption to scram-sha-256.

  9. (Optional) Open the pg_hba.conf file. Then change the method to scram-sha-256.

    If md5 is specified as a method in the pg_hba.conf file but your password on the server is encrypted for SCRAM-SHA-256, then SCRAM-based authentication will automatically be used instead, in an effort to ease transition from the md5 method to the SCRAM method. For more information, refer to the PostgreSQL documentation.

  10. Restart the PostgreSQL service.

  11. Run the following query again. The result should display a password encryption method of scram-sha-256.

    Copy 
    SHOW password_encryption;