Bird
Raised Fist0
PostgreSQLquery~5 mins

Password authentication methods in PostgreSQL - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of password authentication methods in PostgreSQL?
Password authentication methods in PostgreSQL control how users prove their identity when connecting to the database, ensuring only authorized users can access it.
Click to reveal answer
intermediate
Explain the difference between md5 and scram-sha-256 authentication methods.
md5 hashes passwords using MD5 algorithm but is less secure. scram-sha-256 uses a stronger SHA-256 hashing with salting and is recommended for better security.
Click to reveal answer
beginner
What is the role of the pg_hba.conf file in password authentication?
The pg_hba.conf file defines which authentication methods PostgreSQL uses for different users, databases, and connection types.
Click to reveal answer
intermediate
How does password authentication differ from md5 in PostgreSQL?
password sends the password in clear text (not recommended), while md5 sends a hashed password, providing better security over the network.
Click to reveal answer
advanced
Why is scram-sha-256 considered more secure than md5 for password authentication?
scram-sha-256 uses salted hashing and multiple iterations making it resistant to dictionary and replay attacks, unlike md5 which is vulnerable to these attacks.
Click to reveal answer
Which PostgreSQL password authentication method uses SHA-256 hashing?
Ascram-sha-256
Bmd5
Cpassword
Dtrust
Where do you configure the password authentication methods in PostgreSQL?
Apg_password.conf
Bpostgresql.conf
Cpg_ident.conf
Dpg_hba.conf
What does the password authentication method do in PostgreSQL?
ASends hashed password with MD5
BSends password in clear text
CUses SCRAM with SHA-256
DAllows connection without password
Which authentication method is recommended for better security in PostgreSQL?
Aident
Btrust
Cscram-sha-256
Dpassword
What is a key benefit of using scram-sha-256 over md5?
AResistance to replay attacks
BSends password in plain text
CNo password required
DUses MD5 hashing
Describe how PostgreSQL uses password authentication methods to secure database connections.
Think about how PostgreSQL checks user identity and protects passwords.
You got /4 concepts.
    Explain why scram-sha-256 is preferred over md5 for password authentication in PostgreSQL.
    Focus on the security improvements in the hashing method.
    You got /4 concepts.

      Practice

      (1/5)
      1. Which password authentication method in PostgreSQL is considered more secure and recommended for use?
      easy
      A. scram-sha-256
      B. md5
      C. password
      D. trust

      Solution

      1. Step 1: Understand common PostgreSQL password methods

        PostgreSQL supports several password authentication methods including md5 and scram-sha-256.

      2. Step 2: Compare security levels

        SCRAM-SHA-256 is a newer, more secure method than MD5, which is older and less secure.

      3. Final Answer:

        scram-sha-256 -> Option A

      4. Quick Check:

        More secure method = scram-sha-256 [OK]
      Hint: SCRAM is newer and stronger than MD5 for passwords [OK]
      Common Mistakes:
      • Confusing md5 as more secure than scram-sha-256
      • Choosing 'password' which sends plain text
      • Selecting 'trust' which requires no password
      2. Which line correctly sets password authentication to SCRAM in the pg_hba.conf file?
      easy
      A. host all all 0.0.0.0/0 password
      B. host all all 0.0.0.0/0 md5
      C. host all all 0.0.0.0/0 scram-sha-256
      D. host all all 0.0.0.0/0 trust

      Solution

      1. Step 1: Identify the correct authentication method syntax

        The pg_hba.conf file uses lines like 'host all all address method' to set authentication.

      2. Step 2: Match method to SCRAM

        To use SCRAM, the method must be exactly 'scram-sha-256'.

      3. Final Answer:

        host all all 0.0.0.0/0 scram-sha-256 -> Option C

      4. Quick Check:

        SCRAM method line = host all all 0.0.0.0/0 scram-sha-256 [OK]
      Hint: SCRAM method is 'scram-sha-256' exactly in pg_hba.conf [OK]
      Common Mistakes:
      • Using 'md5' instead of 'scram-sha-256' for SCRAM
      • Confusing 'password' with SCRAM
      • Omitting the IP address or using wrong format
      3. Given this pg_hba.conf line: host all all 192.168.1.0/24 md5, what happens when a user connects from IP 192.168.1.15?
      medium
      A. The user must use SCRAM authentication.
      B. The user connects without a password.
      C. The connection is rejected automatically.
      D. The user must provide a password hashed with MD5 to authenticate.

      Solution

      1. Step 1: Analyze the IP range and method

        The line applies to IPs in 192.168.1.0/24, which includes 192.168.1.15, and uses md5 authentication.

      2. Step 2: Understand md5 authentication behavior

        MD5 requires the client to send an MD5-hashed password for authentication.

      3. Final Answer:

        The user must provide a password hashed with MD5 to authenticate. -> Option D

      4. Quick Check:

        IP in range + md5 method = MD5 password required [OK]
      Hint: MD5 method means password hashed with MD5 is required [OK]
      Common Mistakes:
      • Assuming SCRAM is used instead of MD5
      • Thinking no password is needed
      • Believing connection is rejected without password
      4. You set host all all 0.0.0.0/0 scram-sha-256 in pg_hba.conf but users still connect without password prompts. What is the likely cause?
      medium
      A. The scram-sha-256 method is misspelled
      B. PostgreSQL was not reloaded after changing pg_hba.conf
      C. Users have no passwords set in the database
      D. The IP address range is incorrect

      Solution

      1. Step 1: Check if configuration changes are active

        Changes to pg_hba.conf require PostgreSQL reload to take effect.

      2. Step 2: Identify why password prompts are missing

        If users connect without password prompts, likely the new method is not active due to missing reload.

      3. Final Answer:

        PostgreSQL was not reloaded after changing pg_hba.conf -> Option B

      4. Quick Check:

        Config changes need reload = missing reload causes issue [OK]
      Hint: Always reload PostgreSQL after pg_hba.conf changes [OK]
      Common Mistakes:
      • Assuming misspelling causes no prompt instead of error
      • Ignoring need to reload server
      • Thinking IP range affects password prompt
      5. You want to enforce SCRAM authentication only for users connecting from the local network (192.168.0.0/16) and allow password authentication (md5) for others. Which two lines in pg_hba.conf achieve this correctly?
      hard
      A. host all all 192.168.0.0/16 scram-sha-256 host all all 0.0.0.0/0 md5
      B. host all all 0.0.0.0/0 scram-sha-256 host all all 192.168.0.0/16 md5
      C. host all all 192.168.0.0/16 md5 host all all 0.0.0.0/0 scram-sha-256
      D. host all all 0.0.0.0/0 trust host all all 192.168.0.0/16 scram-sha-256

      Solution

      1. Step 1: Understand pg_hba.conf line order and matching

        PostgreSQL checks lines top to bottom and uses the first matching rule.

      2. Step 2: Set SCRAM for local network first, then md5 for others

        Line 1: local network with scram-sha-256; Line 2: all others with md5.

      3. Final Answer:

        host all all 192.168.0.0/16 scram-sha-256 host all all 0.0.0.0/0 md5 -> Option A

      4. Quick Check:

        Specific local network first, then general others [OK]
      Hint: Put specific IP range first, general last in pg_hba.conf [OK]
      Common Mistakes:
      • Reversing line order causing wrong method to apply
      • Using 'trust' which disables password
      • Assigning md5 to local network instead of SCRAM