Password hashing algorithm

Vertica strongly recommends that you use SHA-512 for hash authentication.

Vertica does not store user passwords for the hash authentication method. Rather, Vertica stores a hash of the password. The hashing algorithm is determined by two parameters:

  • A system-level configuration parameter, SecurityAlgorithm:

    => ALTER DATABASE DEFAULT SET PARAMETER SecurityAlgorithm = 'hashing_algorithm';
    
  • A user-level parameter, SECURITY_ALGORITHM:

    => ALTER USER username SECURITY_ALGORITHM 'hashing_algorithm' IDENTIFIED BY 'new_password';
    

The system-level parameter, SecurityAlgorithm, can have the following values:

  • SHA512 (default)

  • MD5

The user-level parameter, SECURITY_ALGORITHM, can have the following values. Values other than NONE will take priority over the system-level parameter:

  • NONE (default, uses algorithm specified by the system-level parameter SecurityAlgorithm)

  • SHA512

  • MD5

A user's EFFECTIVE_SECURITY_ALGORITHM is determined by a combination of the system-level and user-level parameters. If the user-level parameter is set to NONE, the effective security algorithm will be that of the system-level parameter. You can override the system-level parameter for a particular user by setting the user-level parameter to a non-NONE value.

You can view these parameters and their effects on each user by querying the system table PASSWORD_AUDITOR.

The following table shows the various combinations of the system-level and user-level parameters and the effective security algorithm for each.

FIPS mode forces the effective security algorithm to be SHA-512.

Parameter value Effective Security Algorithm
System level: SecurityAlgorithm User-level: SECURITY_ALGORITHM Algorithm Used Algorithm Used (FIPS mode)
MD5 NONE MD5 SHA-512
SHA512 NONE SHA-512 SHA-512
MD5 MD5 MD5 SHA-512
SHA512 MD5 MD5 SHA-512
MD5 SHA512 SHA-512 SHA-512
SHA512 SHA512 SHA-512 SHA-512