Hash Authentication Parameters
Two parameters control which algorithm hash authentication uses for hashing and storing user passwords:
-
A user-level parameter, Security_Algorithm:
=> ALTER USER username SECURITY_ALGORITHM 'MD5' IDENTIFIED BY 'newpassword'; => ALTER USER username SECURITY_ALGORITHM 'SHA512' IDENTIFIED BY 'newpassword';
-
A system-level configuration parameter, SecurityAlgorithm:
=> SELECT SET_CONFIG_PARAMETER('SecurityAlgorithm', 'MD5'); => SELECT SET_CONFIG_PARAMETER('SecurityAlgorithm', 'SHA512');
Both parameters can have the following values:
'NONE'
'MD5'
'SHA512'
If your current password is in the MD5 format you cannot rename a user with ALTER USER.
The user-level parameter usually has precedence over the system-level parameter. However, if the user-level parameter is 'NONE'
, Vertica hashes passwords with the algorithm assigned to the system-level parameter value. If both parameters are 'NONE'
, Vertica uses the MD5 algorithm.
These values, which are stored in the PASSWORD_AUDITOR system table, affect the security algorithm that is actually used for hash authentication.
User-Level Parameter Value | System-Level Parameter Value | Algorithm Used for Hash Authentication | Algorithm Used for Hash Authentication - FIPS mode |
---|---|---|---|
'NONE'
|
'NONE'
|
MD5 | SHA-512 |
'NONE'
|
'MD5'
|
MD5 | SHA-512 |
'NONE'
|
'SHA512'
|
SHA-512 | SHA-512 |
'MD5'
|
'NONE'
|
MD5 | SHA-512 |
'MD5'
|
'MD5'
|
MD5 | SHA-512 |
'MD5'
|
'SHA512'
|
MD5 | SHA-512 |
'SHA512'
|
'NONE'
|
SHA-512 | SHA-512 |
'SHA512'
|
'MD5'
|
SHA-512 | SHA-512 |
'SHA512'
|
'SHA512'
|
SHA-512 | SHA-512 |