Aiven for PostgreSQL®: Enhanced password security with SCRAM-SHA-256

Aiven for PostgreSQL® now defaults to scram-sha-256 password encryption for enhanced security, moving away from the md5 method. scram-sha-256 offers a more robust challenge-response authentication scheme. While md5 is vulnerable to traditional pass-the-hash attacks, scram-sha-256 eliminates this type of vulnerability and offers much better protection against offline password attacks and brute force attacks.

How this change applies

• New services (affected): New Aiven for PostgreSQL services in organizations without PGBouncer pools will use scram-sha-256 by default.
• Existing services (unaffected): All existing services are not impacted by this change.
• PGBouncer pool organizations (unaffected): New services created in organizations with PGBouncer pools will continue to default to md5.

Client compatibility: Most modern PostgreSQL client libraries are compatible with scram-sha-256. For authentication issues, consult your driver's documentation or the PostgreSQL list of drivers.

When to migrate manually

If your organization has PGBouncer pools tied to specific database users or your services have additional database users created, migrate to scram-sha-256 manually before the next major PostgreSQL version upgrade, when md5 encryption will be deprecated.

View migration guide and compatibility instructions

How to troubleshoot authentication issues

If you experience connection problems with scram-sha-256, you have two immediate options:

• Revert default: Change pg.password_encryption back to md5 in your service's user_config.
• Role-specific MD5: For specific roles, create them with md5 secrets directly using CREATE ROLE ... WITH PASSWORD 'md5' ... (PostgreSQL documentation on CREATE ROLE).