Diagnostic Queries
Symptoms
SCRAM authentication was attempted but the role has an empty password. PostgreSQL raises SQLSTATE 28P01 (invalid_password).
- The role has no usable password for SCRAM.
- Common after creating a role without a password.
- SCRAM cannot authenticate an empty password.
What the server log shows
FATAL: SCRAM authentication requires a non-empty passwordWhy PostgreSQL raises this — what the manual says
As Section 20.5 Password Authentication explains:
SCRAM-SHA-256 authentication cannot proceed against an empty password, since there is no secret to derive the challenge-response from; set a non-empty password for the role (with ALTER ROLE … PASSWORD) before it can authenticate via SCRAM.
SCRAM-SHA-256 derives its proof from the role’s stored password verifier. A role with an empty/unset password has no verifier to authenticate against, so PostgreSQL rejects it with 28P01.
Common causes
- The role was created without a password.
- The password was reset to empty.
- Expecting trust/peer auth but the HBA line requires SCRAM.
How to fix it
- Set a password:
ALTER ROLE appuser PASSWORD 'strong-secret';. - Use an appropriate HBA method if password auth isn’t intended.
- Ensure the password isn’t blank in the connection string.
Related & next steps
Reference: PostgreSQL 18 Section 21.5 “Password Authentication”.
Was this helpful?
Thanks — noted. This helps keep the database accurate.