invalid_password password authentication failed for user “…” — 28P01

Symptoms

The server rejected the login because the password did not match, or the authentication method/credentials for the named role failed. The role name is shown in the message.

• The connection is refused with a FATAL and SQLSTATE 28P01.
• The DETAIL names the matched pg_hba.conf line.
• Common after a password change, role mix-up, or md5↔SCRAM mismatch.

What the server log shows

FATAL:  password authentication failed for user "app"
DETAIL:  Connection matched pg_hba.conf line 95: "host all all 0.0.0.0/0 scram-sha-256"

Why PostgreSQL raises this — what the manual says

Section 20.5 Password Authentication:

“If no password has been set up for a user, the stored password is null and password authentication will always fail for that user.”

After matching a pg_hba.conf line that requires a password, the server verifies the supplied secret against the role’s stored verifier. A mismatch — wrong password, no password set, or an md5/SCRAM encoding mismatch — produces this FATAL. The DETAIL shows which pg_hba.conf rule matched.

Common causes

• Wrong or outdated password in the client/connection string.
• The role has no password set (ALTER ROLE ... PASSWORD never run).
• password_encryption mismatch (md5 vs scram-sha-256) after an upgrade.
• Connecting as the wrong role.

How to fix it

1. Re-enter the correct password; check for trailing spaces or encoding issues.
2. Reset it: ALTER ROLE app PASSWORD 'newsecret';.
3. Ensure client and server agree on SCRAM: SHOW password_encryption;.
4. Confirm the matched pg_hba.conf line (see DETAIL) is the one you expect.

Related & next steps

• SQLSTATE 28P01 — Invalid Password (full reference)
• Message: no pg_hba.conf entry for host
• Message: role does not exist

Reference: PostgreSQL 18 Section 21.5 “Password Authentication”.