Firstly, it is important to understand that for most Unix distributions, the default Postgres user neither requires nor uses a password for authentication. Instead, depending how Postgres was originally installed and what version you are using, the default authentication method will either be ident
or peer
.
- Postgres Password Authentication Failed
- Postgres Password Requirements
- Postgres Password File
- Change Postgres Password
- Postgres Password Authentication Failed
ident
authentication uses the operating system’s identification server running at TCP port 113 to verify the user’s credentials.
- If you use 'sudo passwd postgres', the account is immediately unlocked. Worse, if you set the password to something weak, like 'postgres', then you are exposed to a great security danger. For example, there are a number of bots out there trying the username/password combo 'postgres/postgres' to log into your UNIX system.
- The password field from the first line that matches the current connection parameters will be used. (Therefore, put more-specific entries first when you are using wildcards.) If an entry needs to contain: or, escape this character with.
- For most systems, the default Postgres user is postgres and a password is not required for authentication. Thus, to add a password, we must first login and connect as the postgres user. $ sudo -u postgres psql If you successfully connected and are viewing the psql prompt, jump down to the Changing the Password section.
- In the beginning, PostgreSQL only had the method that is now known as “password” in pghba.conf. It is the simplest thing you can imagine: It is the simplest thing you can imagine: The client says to the server, “Hello, I’m Peter, I would like to connect.”.
Postgres Password Authentication Failed
Inside the psql shell you can give the DB user postgres a password: ALTER USER postgres PASSWORD 'newPassword'; You can leave the psql shell by typing Ctrl D or with the command q. Now you should be able to give pgAdmin a valid password for the DB superuser and it will be happy too.
peer
authentication on the other hand, is used for local connections and verifies that the logged in username of the operating system matches the username for the Postgres database.
Login and Connect as Default User
For most systems, the default Postgres user is postgres
and a password is not required for authentication. Thus, to add a password, we must first login and connect as the postgres
user.
Postgres Password Requirements
If you successfully connected and are viewing the psql
prompt, jump down to the Changing the Password section.
If you received an error stating that the database “postgres” doesn’t exist, try connecting to the template1
database instead and if successful, continue to Changing the Password.
Authentication Error
If you receive an authentication error when attempting to connect to the psql
client, you may need to alter the Postgres authentication config file (pg_hfa.conf).
Open the config file, typically located at /etc/postgresql/#.#/main/pg_hba.conf
, where #.#
is the Postgres version you are using:
The auth config file is a list of authentication rules. Scroll down the file until you locate the first line displaying the postgres
user in the third column (if such a line exists). Uncomment the line if necessary (remove the semicolon), or otherwise if the line is missing entirely, add the following line to the top of the file and save your changes:
This authentication rule simply tells Postgres that for local connections established to all databases for the user postgres
, authenticate using the peer
protocol.
Note: Some older versions of Postgres prefer the default authentication method of ident, but most modern installations will utilize peer as specified above instead. You may need to test both if your results differ.
Now with your configuration file updated, repeat the steps in the Login and Connect as Default User section to try to connect to as the default postgres
user. Once successful, proceed with changing the password.
Changing the Password
With a connection now established to Postgres at the psql
prompt, issue the ALTER USER
command to change the password for the postgres
user:
If successful, Postgres will output a confirmation of ALTER ROLE
as seen above.
Finally, exit the psql
client by using the q
command.
You’re all done. The default postgres
user now has a password associated with the account for use in your other applications.
There are 3 basic rules for keeping user credentials secure:
- NEVER store passwords as plain text.
- ALWAYS use a random salt when encrypting passwords.
- DO NOT roll your own crypto.
Lucky for us, the pgcrypto module in PostgreSQL makes it very easy to follow these rules. Let us take a look at an example.
First, we need to enable pgcrypto:
Postgres Password File
Then, we can create a table for storing user credentials:
When creating a new user, we can use the crypt
function to encrypt the password.
The crypt
function accepts two arguments:
- The password to encrypt
- The salt to use when encrypting
We should always use the gen_salt
function, to let PostgreSQL generate a random salt for us. I prefer using the blowfish algorithm (bf
) with gen_salt
, but here is a list of the algorithms you can use:
Change Postgres Password
To authenticate a user, we use crypt
again, but this time we pass these arguments:
- The submitted password
- The encrypted password we already have in the database
Postgres Password Authentication Failed
If the password matches, crypt
will return the same value as the one we already have in the database.