Cookbook recipe

Role Without Password Set

Applies to PostgreSQL 13–17 Last reviewed May 2026 Grounded in source

What This Is

A production experience capsule based on real incident patterns.

Why It Matters

Builds production judgment under pressure.

Next Step

Run the decision point → · Enter full simulator →

Estimated investigation4 min

Scenario

Scenario A penetration tester successfully connects to the production database as app_user without providing any credentials. The role was created with CREATE ROLE app_user LOGIN — the PASSWORD clause was omitted. The pg_hba.conf entry for the…

Investigation Path

Scenario

A penetration tester successfully connects to the production database as app_user without providing any credentials. The role was created with CREATE ROLE app_user LOGIN — the PASSWORD clause was omitted. The pg_hba.conf entry for the app network uses trust authentication, meaning PostgreSQL doesn’t check passwords at all. The application has been running fine but the database is wide open to anyone on the network.

How to Identify

Conditions:

  • pg_authid.rolpassword IS NULL for a login role
  • pg_hba.conf has trust auth for TCP connections
  • Anyone on the allowed network subnet can connect as that user with any (or no) password
  • No audit trail of who connected and when

Analysis Steps

-- Find login roles with no password set
SELECT rolname, rolcanlogin, rolpassword IS NULL AS no_password, rolsuper
FROM pg_authid
WHERE rolcanlogin = true
ORDER BY rolname;

-- Check pg_hba.conf for trust authentication
SELECT line_num, type, database, user_name, address, auth_method
FROM pg_hba_file_rules
WHERE auth_method = 'trust'
ORDER BY line_num;
-- Any 'trust' rule on a 'host' type is a security risk

-- Identify which users are connecting from trusted rules:
SELECT a.usename, a.client_addr, a.application_name, count(*)
FROM pg_stat_activity a
WHERE a.backend_type = 'client backend'
GROUP BY a.usename, a.client_addr, a.application_name
ORDER BY count(*) DESC;

-- Check if the role has connection limit
SELECT rolname, rolconnlimit FROM pg_roles WHERE rolname = 'app_user';
-- -1 = unlimited connections

Pitfalls

  • CREATE ROLE app_user LOGIN without PASSWORD creates a role with rolpassword IS NULL. With trust auth, this is a full authentication bypass.
  • trust authentication in pg_hba.conf is only appropriate for local (Unix socket) connections on a secured server — never for TCP connections.
  • Setting a password on the role is not enough if pg_hba.conf still uses trusttrust ignores passwords entirely.
  • md5 authentication is weaker than scram-sha-256. The password is sent as an MD5 hash which is vulnerable to offline cracking and replay attacks.
  • Roles used by applications should have CONNECTION LIMIT set to prevent a single misconfigured client from exhausting all connections.

Resolution Approach

Set a strong password on the role, change pg_hba.conf from trust to scram-sha-256, and reload. Audit all login roles for missing passwords and all pg_hba.conf entries for trust on TCP connections.

This is a Pro lesson

Get every Learning Pathway and cookbook recipe — grounded in PostgreSQL source code, with diagnostics, fixes, and prevention for each topic.

Continue this lesson to learn:

  • Mitigation Actions
  • All 36 Learning Pathway lessons
  • 170+ cookbook recipes
  • Source-grounded diagnostics & fixes
Unlock everything — $24.99/month $199/year — save 35%

Secure checkout Cancel anytime Source-grounded

Career Impact

This scenario builds production judgment and operational confidence under pressure.

Open Career Dashboard →

Keep going

Related & next steps

More like this

Deadlock rate spiking — finding and eliminating the cause Set up streaming replication from scratch pgBackRest: How Incremental Backups and Point-in-Time Recovery Actually Work REINDEX TABLE Blocks All Reads and Writes During Rebuild Statistics and Selectivity: Why the Planner Guesses Wrong
Browse the cookbook Step-by-step recipes Follow a pathway Learn it in order Open the glossary Every concept, plainly
Was this helpful?

← All cookbook recipes