Bird
Raised Fist0
PostgreSQLquery~10 mins

Password authentication methods in PostgreSQL - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - Password authentication methods
Client connects to server
Server requests password
Client sends password
Server checks password method
Compare password using method
If match?
NoReject connection
Yes
Allow connection
The client connects and sends a password. The server checks the password using the configured method. If it matches, connection is allowed; otherwise, rejected.
Execution Sample
PostgreSQL
CREATE USER alice WITH PASSWORD 'secret';
-- Client connects
-- Server uses md5 method
-- Password checked
-- Connection allowed if match
This example shows a user created with a password. When connecting, PostgreSQL uses the md5 method to verify the password.
Execution Table
StepActionPassword MethodPassword SentCheck ResultConnection Status
1Client connectsmd5sent hashed passwordpendingpending
2Server receives passwordmd5received hashed passwordcompare hashpending
3Server compares passwordmd5hashed passwordmatchpending
4Password matches?md5hashed passwordYesallow connection
5Connection establishedmd5hashed passwordconfirmedconnected
💡 Password matches using md5 method, connection allowed
Variable Tracker
VariableStartAfter Step 1After Step 2After Step 3Final
password_methodundefinedmd5md5md5md5
password_sentnonehashed passwordhashed passwordhashed passwordhashed password
check_resultnonependingcompare hashmatchmatch
connection_statusdisconnectedpendingpendingpendingconnected
Key Moments - 2 Insights
Why does the server compare a hashed password instead of the plain password?
Because the md5 method stores and checks hashed passwords for security, as shown in execution_table step 2 and 3.
What happens if the password does not match?
The connection is rejected immediately after the check fails, as indicated by the 'Password matches?' decision in execution_table step 4.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the connection status at step 3?
Apending
Bconnected
Cdisconnected
Drejected
💡 Hint
Check the 'Connection Status' column at step 3 in the execution_table.
At which step does the server confirm the password matches?
AStep 2
BStep 3
CStep 4
DStep 5
💡 Hint
Look for the 'Password matches?' decision in the execution_table.
If the password method changed to 'scram-sha-256', what would change in the execution_table?
APassword Sent column would be empty
BPassword Method column would show 'scram-sha-256'
CConnection Status would be 'rejected'
DNo changes
💡 Hint
Focus on the 'Password Method' column in the execution_table.
Concept Snapshot
Password authentication in PostgreSQL:
- Client sends password on connect
- Server checks password using method (md5, scram-sha-256, etc.)
- Passwords are hashed for security
- Match allows connection; mismatch rejects
- Method set in pg_hba.conf or user creation
Full Transcript
When a client connects to PostgreSQL, the server requests a password. The client sends the password, usually hashed depending on the method. The server compares the received password with the stored one using the configured authentication method, such as md5 or scram-sha-256. If the password matches, the connection is allowed; otherwise, it is rejected. This process ensures secure authentication by never sending plain passwords over the network. The method used is configured in the server settings and can vary per user or connection type.

Practice

(1/5)
1. Which password authentication method in PostgreSQL is considered more secure and recommended for use?
easy
A. scram-sha-256
B. md5
C. password
D. trust

Solution

  1. Step 1: Understand common PostgreSQL password methods

    PostgreSQL supports several password authentication methods including md5 and scram-sha-256.

  2. Step 2: Compare security levels

    SCRAM-SHA-256 is a newer, more secure method than MD5, which is older and less secure.

  3. Final Answer:

    scram-sha-256 -> Option A

  4. Quick Check:

    More secure method = scram-sha-256 [OK]
Hint: SCRAM is newer and stronger than MD5 for passwords [OK]
Common Mistakes:
  • Confusing md5 as more secure than scram-sha-256
  • Choosing 'password' which sends plain text
  • Selecting 'trust' which requires no password
2. Which line correctly sets password authentication to SCRAM in the pg_hba.conf file?
easy
A. host all all 0.0.0.0/0 password
B. host all all 0.0.0.0/0 md5
C. host all all 0.0.0.0/0 scram-sha-256
D. host all all 0.0.0.0/0 trust

Solution

  1. Step 1: Identify the correct authentication method syntax

    The pg_hba.conf file uses lines like 'host all all address method' to set authentication.

  2. Step 2: Match method to SCRAM

    To use SCRAM, the method must be exactly 'scram-sha-256'.

  3. Final Answer:

    host all all 0.0.0.0/0 scram-sha-256 -> Option C

  4. Quick Check:

    SCRAM method line = host all all 0.0.0.0/0 scram-sha-256 [OK]
Hint: SCRAM method is 'scram-sha-256' exactly in pg_hba.conf [OK]
Common Mistakes:
  • Using 'md5' instead of 'scram-sha-256' for SCRAM
  • Confusing 'password' with SCRAM
  • Omitting the IP address or using wrong format
3. Given this pg_hba.conf line: host all all 192.168.1.0/24 md5, what happens when a user connects from IP 192.168.1.15?
medium
A. The user must use SCRAM authentication.
B. The user connects without a password.
C. The connection is rejected automatically.
D. The user must provide a password hashed with MD5 to authenticate.

Solution

  1. Step 1: Analyze the IP range and method

    The line applies to IPs in 192.168.1.0/24, which includes 192.168.1.15, and uses md5 authentication.

  2. Step 2: Understand md5 authentication behavior

    MD5 requires the client to send an MD5-hashed password for authentication.

  3. Final Answer:

    The user must provide a password hashed with MD5 to authenticate. -> Option D

  4. Quick Check:

    IP in range + md5 method = MD5 password required [OK]
Hint: MD5 method means password hashed with MD5 is required [OK]
Common Mistakes:
  • Assuming SCRAM is used instead of MD5
  • Thinking no password is needed
  • Believing connection is rejected without password
4. You set host all all 0.0.0.0/0 scram-sha-256 in pg_hba.conf but users still connect without password prompts. What is the likely cause?
medium
A. The scram-sha-256 method is misspelled
B. PostgreSQL was not reloaded after changing pg_hba.conf
C. Users have no passwords set in the database
D. The IP address range is incorrect

Solution

  1. Step 1: Check if configuration changes are active

    Changes to pg_hba.conf require PostgreSQL reload to take effect.

  2. Step 2: Identify why password prompts are missing

    If users connect without password prompts, likely the new method is not active due to missing reload.

  3. Final Answer:

    PostgreSQL was not reloaded after changing pg_hba.conf -> Option B

  4. Quick Check:

    Config changes need reload = missing reload causes issue [OK]
Hint: Always reload PostgreSQL after pg_hba.conf changes [OK]
Common Mistakes:
  • Assuming misspelling causes no prompt instead of error
  • Ignoring need to reload server
  • Thinking IP range affects password prompt
5. You want to enforce SCRAM authentication only for users connecting from the local network (192.168.0.0/16) and allow password authentication (md5) for others. Which two lines in pg_hba.conf achieve this correctly?
hard
A. host all all 192.168.0.0/16 scram-sha-256 host all all 0.0.0.0/0 md5
B. host all all 0.0.0.0/0 scram-sha-256 host all all 192.168.0.0/16 md5
C. host all all 192.168.0.0/16 md5 host all all 0.0.0.0/0 scram-sha-256
D. host all all 0.0.0.0/0 trust host all all 192.168.0.0/16 scram-sha-256

Solution

  1. Step 1: Understand pg_hba.conf line order and matching

    PostgreSQL checks lines top to bottom and uses the first matching rule.

  2. Step 2: Set SCRAM for local network first, then md5 for others

    Line 1: local network with scram-sha-256; Line 2: all others with md5.

  3. Final Answer:

    host all all 192.168.0.0/16 scram-sha-256 host all all 0.0.0.0/0 md5 -> Option A

  4. Quick Check:

    Specific local network first, then general others [OK]
Hint: Put specific IP range first, general last in pg_hba.conf [OK]
Common Mistakes:
  • Reversing line order causing wrong method to apply
  • Using 'trust' which disables password
  • Assigning md5 to local network instead of SCRAM