Why PostgreSQL Is Dropping MD5 Password Support and What It Means for You

PostgreSQL has finally deprecated MD5 password authentication in its latest code, marking the start of its removal.

MD5 is insecure and vulnerable to attacks; PostgreSQL developers have been planning to phase it out for years. As of December 3, deprecation notices appear in the Git code that will become PostgreSQL 18.

“For some time MD5 has been considered unsuitable as a cryptographic hash. In PostgreSQL the MD5 password hash is vulnerable to pass‑through hash attacks—knowing the username and hashed password is enough to authenticate. The SCRAM‑SHA‑256 method added in v10 avoids these issues and is preferred over MD5. This commit marks MD5 password support as deprecated and it will be removed in future releases. Documentation now contains deprecation notices, and CREATE ROLE and ALTER ROLE emit warnings when setting an MD5 password. The warnings can be disabled by setting md5_password_warnings to “off”.

The commit can be viewed at https://github.com/postgres/postgres/commit/db6a4a985bc09d260d5c29848e3c97f080646a53 .

PostgreSQL 19 will allow MD5 password upgrades and authentication but will prohibit creating new MD5 passwords. PostgreSQL 20 will forbid MD5 authentication entirely, and PostgreSQL 21 will remove MD5 support completely, including upgrades.

Thus, while MD5 support will remain for a few more releases, it is officially deprecated and slated for removal.