SCRAM-SHA-256 is a client-to-server password-based authentication algorithm introduced in PostgreSQL 10 that replaces the legacy MD5-based authentication. Not only the protocol was upgraded but also the server-side password hashes, which is great improvement in their resistance to brute-force cracking.

Switching the server to the SCRAM method is easy — just set password_encryption = 'scram-sha-256' in postgresql.conf or in psql:

postgres@ubuntu:~$ psql 
psql (10.5 (Ubuntu 10.5-1.pgdg16.04+1))
Type "help" for help.

postgres=# show password_encryption;
 password_encryption 
---------------------
 md5
(1 row)

postgres=# SET password_encryption = 'scram-sha-256';
SET

Because authentication mechanism was changed you also need to rehash the password of the user accessing the database, which is simply done by changing it:

postgres=# \password webapp
Enter new password:
Enter it again:

Alternative method:

postgres=# ALTER USER "webapp" WITH PASSWORD 'PLAINTEXT_USER_PASSWORD_HERE';
ALTER ROLE
postgres=# select * from pg_user;
  usename   | usesysid | usecreatedb | usesuper | userepl | usebypassrls |  passwd  | valuntil | useconfig 
------------+----------+-------------+----------+---------+--------------+----------+----------+-----------
 postgres   |       10 | t           | t        | t       | t            | ******** |          | 
 webapp     |    16384 | t           | f        | f       | f            | ******** |          | 
(2 rows)

To ensure the authentication method was changed:

postgres=# show password_encryption;
 password_encryption 
---------------------
 scram-sha-256
(1 row)

Also make sure you replace occurences of "md5" with "scram-sha-256" in pg_hba.conf and restart PostgreSQL.

Compatibility

PostgreSQL 10 is nothing new and most libraries have caught up implementing SCRAM authentication method and work flawlessly — Django and psycopg2 are certainly in this group as we've been using them with SCRAM shortly after version 10 was released. Most notably lagged is Ansible which still does not support it, but PR#51121 should resolve it shortly.

Fully automated RESTful API is now available. Subscribe for your free trial today!