Postgres security Checks Password Encryption

This test checks if postgresql passwords are stored in encrypted or clear text format.

First check pg_shadow table  to find any clear-text passwords. For this reason we can use below query.

select usename,passwd from pg_shadow

 where passwd not like ‘md5%’ or length(passwd) <> 35;

The output of this query should be null. If you find any passwords in clear-text format. you should change these passwords .

At the same time you should check Password_encryption parameter. This parameter controls ALTER USER and CREATE USER commands, If you don’t specify ENCRYPTED or UNENCRYPTED at this command , the database encrypts passwords.

The value of Password_encryption parameter should be on

postgres=# show Password_encryption;

password_encryption

———————

on

(1 row)