Aiven for PostgreSQL®: Enhanced password security with SCRAM-SHA-256
Aiven for PostgreSQL® now defaults to scram-sha-256 password encryption for enhanced security, moving away from the md5 method. scram-sha-256 offers a more robust challenge-response authentication scheme. While md5 is vulnerable to traditional pass-the-hash attacks, scram-sha-256 eliminates this type of vulnerability and offers much better protection against offline password attacks and brute force attacks.
How this change applies
- New services (affected): New Aiven for PostgreSQL services in organizations without PGBouncer pools will use
scram-sha-256by default. - Existing services (unaffected): All existing services are not impacted by this change.
- PGBouncer pool organizations (unaffected): New services created in organizations with PGBouncer pools will continue to default to
md5.
Client compatibility: Most modern PostgreSQL client libraries are compatible with scram-sha-256. For authentication issues, consult your driver's documentation or the PostgreSQL list of drivers.
When to migrate manually
If your organization has PGBouncer pools tied to specific database users or your services have additional database users created, migrate to scram-sha-256 manually before the next major PostgreSQL version upgrade, when md5 encryption will be deprecated.
View migration guide and compatibility instructions
How to troubleshoot authentication issues
If you experience connection problems with scram-sha-256, you have two immediate options:
- Revert default: Change
pg.password_encryptionback tomd5in your service'suser_config. - Role-specific MD5: For specific roles, create them with
md5secrets directly usingCREATE ROLE ... WITH PASSWORD 'md5' ...(PostgreSQL documentation on CREATE ROLE).