Hash Authentication Parameters
Two parameters control which algorithm hash authentication uses for hashing and storing user passwords:
-
A user-level parameter, Security_Algorithm:
=> ALTER USER username SECURITY_ALGORITHM 'MD5' IDENTIFIED BY 'newpassword'; => ALTER USER username SECURITY_ALGORITHM 'SHA512' IDENTIFIED BY 'newpassword';
-
A system-level configuration parameter, SecurityAlgorithm:
=> ALTER DATABASE DEFAULT SET PARAMETER SecurityAlgorithm = 'MD5'; => ALTER DATABASE DEFAULT SET PARAMETER SecurityAlgorithm = 'SHA512';
Both parameters can have the following values:
NONEMD5SHA512
If your current password is in the MD5 format you cannot rename a user with ALTER USER.
The user-level parameter usually has precedence over the system-level parameter. However, if the user-level parameter is NONE, Vertica hashes passwords with the algorithm assigned to the system-level parameter value. If both parameters are NONE, Vertica uses the MD5 algorithm.
These values, which are stored in system table PASSWORD_AUDITOR, affect the security algorithm that is actually used for hash authentication.
| Parameter value | Authentication algorithm | ||
|---|---|---|---|
| User level | System level | Hash | Hash /FIPS mode |
| NONE | NONE | MD5 | SHA-512 |
| NONE | MD5 | MD5 | SHA-512 |
| NONE | SHA512 | SHA-512 | SHA-512 |
| MD5 | NONE | MD5 | SHA-512 |
| MD5 | MD5 | MD5 | SHA-512 |
| MD5 | SHA512 | MD5 | SHA-512 |
| SHA512 | NONE | SHA-512 | SHA-512 |
| SHA512 | MD5 | SHA-512 | SHA-512 |
| SHA512 | SHA512 | SHA-512 | SHA-512 |