Hash Authentication Parameters

Two parameters control which algorithm hash authentication uses for hashing and storing user passwords:

  • A user-level parameter, Security_Algorithm:

    => ALTER USER username SECURITY_ALGORITHM 'MD5' IDENTIFIED BY 'newpassword';
    => ALTER USER username SECURITY_ALGORITHM 'SHA512' IDENTIFIED BY 'newpassword';
  • A system-level configuration parameter, SecurityAlgorithm:

    => SELECT SET_CONFIG_PARAMETER('SecurityAlgorithm', 'MD5');
    => SELECT SET_CONFIG_PARAMETER('SecurityAlgorithm', 'SHA512');
    

Both parameters can have the following values:

  • 'NONE'
  • 'MD5'
  • 'SHA512'

If your current password is in the MD5 format you cannot rename a user with ALTER USER.

The user-level parameter usually has precedence over the system-level parameter. However, if the user-level parameter is 'NONE', Vertica hashes passwords with the algorithm assigned to the system-level parameter value. If both parameters are 'NONE', Vertica uses the MD5 algorithm.

These values, which are stored in the PASSWORD_AUDITOR system table, affect the security algorithm that is actually used for hash authentication.

User-Level Parameter Value System-Level Parameter Value Algorithm Used for Hash Authentication Algorithm Used for Hash Authentication - FIPS mode
'NONE' 'NONE' MD5 SHA-512
'NONE' 'MD5' MD5 SHA-512
'NONE' 'SHA512' SHA-512 SHA-512
'MD5' 'NONE' MD5 SHA-512
'MD5' 'MD5' MD5 SHA-512
'MD5' 'SHA512' MD5 SHA-512
'SHA512' 'NONE' SHA-512 SHA-512
'SHA512' 'MD5' SHA-512 SHA-512
'SHA512' 'SHA512' SHA-512 SHA-512