Upgrade Considerations for Hash Authentication

For Vertica releases before 7.1, MD5 is the only algorithm used for hashing passwords. In Vertica 7.1, you can use either the MD5 algorithm or the more secure SHA-512 algorithm. Before you upgrade, you must consider the following behaviors to avoid problems.

Upgrade the Client and Server

To implement the more secure SHA-512 algorithm for hashing passwords, you must upgrade BOTH the client and the server to Vertica 7.1 or higher. If you upgrade the server but not the client and specify that one or more users store their passwords using SHA-512, the client does not understand hashing with SHA-512. When it sends a message to the server, the server returns an error.

Change Existing Users to SHA-512 Hash Algorithm

When you upgrade from a pre-7.1 database, the user-level parameter Security_Algorithm, is set to 'NONE'. This allows all existing users to continue connecting to the Vertica server and their passwords are hashed using MD5.

If you want one or more users to use the SHA-512 algorithm, set the system-level parameter Security Algorithm to 'SHA512' and change the user passwords.

Use one of three methods to change the user password:

  • Manually set the user's user-level security algorithm to 'SHA512'. Then, change the user’s password, as in the following statement:

    => ALTER USER username SECURITY_ALGORITHM 'SHA512' IDENTIFIED BY 'newpassword';
  • Set the user's password to expire immediately as in the following statement. After the password expires, the user responds by changing it.

    => ALTER USER username PASSWORD EXPIRE;
  • Ask the user to change the password.

All new passwords inherit the system-level security algorithm, which is SHA-512.