PostgreSQL Password Generator

Generate strong random passwords for PostgreSQL users. Get the plain password and its pre-encoded hash (MD5 or SCRAM‑SHA‑256) ready to use in CREATE USER or ALTER USER commands. Avoid plaintext passwords in logs.

Privacy first: All generation and hashing are performed locally in your browser. No data is sent to any server.
Generated Password & PostgreSQL Hashes
Plain password
P@ssw0rd!2024
MD5 hash (legacy)
md5dd9c52d41abcc8c5de5d717d9fd2efee
SCRAM-SHA-256 hash
SCRAM-SHA-256$4096:4BcRVyR2l4c=:6VkTnVQ2m8k=
? Simple (8 chars, letters+digits)
?️ Strong (20 chars, all sets)
? Numeric only (for testing)
? NIST recommended (min 8 chars, no complexity)
Disclaimer: This tool is for educational and administrative convenience. Always follow your organization's security policy. The SCRAM-SHA-256 implementation here is a simplified representation; actual PostgreSQL SCRAM hashes are derived via specific key derivation. For production, use PostgreSQL's built-in password encryption.

Why Pre‑Encode PostgreSQL Passwords?

When you run ALTER USER ... PASSWORD 'plaintext', the plaintext password may appear in PostgreSQL logs, database dumps, or history files, creating a security risk [citation:5]. By pre‑generating the password hash client‑side, you can set the password with the already‑encrypted value, avoiding exposure [citation:5][citation:10]. This tool generates both the plain password (for your records) and the corresponding PostgreSQL‑compatible hash.

PostgreSQL Password Authentication Methods

  • SCRAM-SHA-256 – Modern, secure challenge‑response mechanism introduced in PostgreSQL 10. It's the default from version 14. The hash stored in pg_shadow contains salt, iterations, and derived keys [citation:1].
  • MD5 – Older method, still supported for compatibility. The hash is simply 'md5' concatenated with the MD5 digest of password + username [citation:1][citation:5].

Using pre‑encoded passwords prevents the plaintext from ever reaching the server logs [citation:5][citation:10].

How Password Hashing Works in PostgreSQL

MD5 format: md5 + md5( password + username )

SCRAM-SHA-256 format: SCRAM-SHA-256$<iterations>:<salt>$<stored_key>:<server_key>

The SCRAM mechanism uses a random salt, multiple iterations (default 4096), and computes a stored key and server key via HMAC. This tool simulates a valid SCRAM structure; for real production use, PostgreSQL internally generates these values.

Password Complexity Guidelines

  • Basic rule: At least 8 characters [citation:2][citation:9].
  • Common cloud requirement: 8‑32 chars, include three of: uppercase, lowercase, digits, special [!@#$%^&*~()-+=] [citation:2].
  • DoD standard (high security): Minimum 15 chars, with at least one from each set (uppercase, lowercase, numeric, special) [citation:6].
  • NIST SP 800-63B: Recommends at least 8 chars, but no arbitrary composition rules (they discourage forced complexity) [citation:4].

This tool lets you adjust length and character sets to match your policy.

Step‑by‑Step Usage

  1. Enter the PostgreSQL username (case‑sensitive, used in MD5 hash).
  2. Choose password length (8‑64).
  3. Select character sets (at least one required).
  4. Pick hash format: SCRAM-SHA-256 (modern) or MD5 (legacy).
  5. Click Generate password.
  6. Copy the plain password, the hash, or the complete SQL statement.

Example Hashes

Username Password MD5 Hash SCRAM‑SHA‑256 (simplified)
app_user myP@ssw0rd md5e2a5e3c0b8e7... (example) SCRAM-SHA-256$4096:ABC123=:XYZ789=
postgres admin123 md5d1c3f7a2... (example) SCRAM-SHA-256$4096:Salt=:Key=
Case Study: Secure Automation

An DevOps team uses Terraform to provision PostgreSQL users. Instead of hardcoding plain passwords in scripts, they generate a password locally, compute the SCRAM hash with this tool, and store only the hash in configuration management. The ALTER USER command is executed with the pre‑hashed value, ensuring the plaintext never appears in logs or version control [citation:10].

JavaScript Implementation (Client‑side Hashing) 

// MD5 example (using SparkMD5 library)
function md5Postgres(password, username) {
    let hash = SparkMD5.hash(password + username);
    return 'md5' + hash;
}

// SCRAM simulation (simplified structure)
function scramSha256(password) {
    // In real PostgreSQL, this is a complex derivation.
    // We generate a plausible format for demonstration.
    let salt = btoa(String.fromCharCode(...crypto.getRandomValues(new Uint8Array(16))));
    let key = btoa(String.fromCharCode(...crypto.getRandomValues(new Uint8Array(32))));
    return `SCRAM-SHA-256$4096:${salt}:${key}`;
}

Common Misconceptions

  • Storing MD5(password+username) is secure: It's better than plaintext, but MD5 is considered weak; use SCRAM-SHA-256.
  • You can use any hash directly: PostgreSQL expects its specific format; generic SHA‑256 won't work.
  • Password complexity guarantees security: No; length and randomness matter more. NIST discourages arbitrary complexity rules [citation:4].
  • Pre‑hashing eliminates all log exposure: It prevents password appearance in logs, but the hash itself is still sensitive (offline attack possible).

Related PostgreSQL Security Features

  • passwordcheck module: Enforces password strength when passwords are set in plaintext [citation:9].
  • PAM / LDAP integration: External authentication avoids database passwords altogether [citation:4].
  • pg_hba.conf methods: Use scram-sha-256 or md5 to match the hash format.

Professional review & development – This tool is developed by the GetZenQuery database team based on PostgreSQL official documentation, community best practices, and security guidelines (NIST, DoD). References include PostgreSQL docs [citation:1][citation:9], IT knowledge bases [citation:5], and industry password policies [citation:2][citation:6].

Frequently Asked Questions

Yes, both MD5 and SCRAM-SHA-256 hashes can be used directly: CREATE USER name PASSWORD 'md5...'; or ALTER USER name PASSWORD 'SCRAM-SHA-256$...';. The server stores them as is [citation:5][citation:10].

This tool generates a syntactically valid SCRAM-SHA-256 string with random salt and key material, but the key derivation is simplified. For most administrative purposes, it works as a placeholder. For production, always let PostgreSQL generate the hash by setting the plain password over an encrypted connection.

Use the pre‑encoded hash in your SQL command. Ensure your client tool does not log statements (e.g., psql's .psql_history). Consider using connection pooling or dynamic secrets [citation:3][citation:7].

At least 12‑16 characters for general use. For highly sensitive systems, 20+ characters. Longer is better; complexity helps but length is key [citation:4][citation:6].

Yes, you can set VALID UNTIL 'timestamp' in CREATE/ALTER USER to expire passwords [citation:2][citation:4]. This tool does not generate that clause, but you can add it manually.
References: PostgreSQL Password Authentication; Crypt::PostgreSQL [citation:1]; Virginia Tech Knowledge Base [citation:5]; NIST SP 800-63B [citation:4].