PostgreSQL default password

The short answer

PostgreSQL has no default password for the postgres superuser. A fresh install does not set one.

Instead, PostgreSQL uses host-based authentication rules to decide whether a password is required at all. On Linux, local connections typically use peer authentication, which means PostgreSQL checks your OS username instead of asking for a password. On macOS (Homebrew), the default is often trust, which lets anyone connecting locally in without any credentials.

Connecting on a fresh install

On Linux (peer authentication):

sudo -u postgres psql

This works because you are running the command as the postgres OS user. PostgreSQL sees that your OS username matches the database role name and lets you in without a password.

On macOS with Homebrew:

psql -U postgres

Homebrew configures PostgreSQL with trust authentication for local connections by default, so no password is required.

Once you are in, you will see the psql prompt:

psql (16.2)
Type "help" for help.

postgres=#

Setting the postgres user password

Once connected, set a password with ALTER USER:

ALTER USER postgres WITH PASSWORD 'yourpassword';

This takes effect immediately. You do not need to restart PostgreSQL.

If you want to require that password for local connections, you also need to update pg_hba.conf (covered below).

pg_hba.conf: how authentication works

pg_hba.conf is the file that controls authentication. It defines which users can connect, from where, and how they must authenticate. PostgreSQL reads it top to bottom and applies the first matching rule.

The default file location is usually:

• /etc/postgresql/<version>/main/pg_hba.conf on Debian/Ubuntu
• /var/lib/pgsql/<version>/data/pg_hba.conf on RHEL/Fedora
• /usr/local/var/postgresql@<version>/pg_hba.conf on macOS (Homebrew)

A typical default pg_hba.conf looks like this:

# TYPE  DATABASE        USER            ADDRESS                 METHOD
local   all             postgres                                peer
local   all             all                                     peer
host    all             all             127.0.0.1/32            scram-sha-256
host    all             all             ::1/128                 scram-sha-256

The columns are: connection type, database, user, address, and authentication method.

Common methods:

| Method | What it does | |--------|--------------| | peer | Checks that the OS username matches the database role name (local only) | | trust | Allows connection without any password | | md5 | Password required, hashed with MD5 | | scram-sha-256 | Password required, hashed with SCRAM (recommended) |

Switching from trust or peer to password auth

To require a password for local connections:

1. Open pg_hba.conf in a text editor.
2. Find the line matching local connections for the relevant user.
3. Change the method from peer or trust to scram-sha-256.

Before:

local   all             all                                     peer

After:

local   all             all                                     scram-sha-256

4. Reload PostgreSQL to apply the change:

# From the shell
pg_ctl reload -D /path/to/data/directory

# Or from inside psql
SELECT pg_reload_conf();

After reloading, local connections will require the password you set with ALTER USER.

Resetting a forgotten postgres password

If you have lost the postgres password and cannot get in, temporarily switch to trust authentication to regain access.

Step 1. Open pg_hba.conf and change the local connection method to trust:

local   all             postgres                                trust

Step 2. Reload PostgreSQL:

pg_ctl reload -D /path/to/data/directory

Step 3. Connect without a password and set a new one:

psql -U postgres

ALTER USER postgres WITH PASSWORD 'newpassword';

Step 4. Revert pg_hba.conf back to scram-sha-256 (or your previous method), then reload again:

pg_ctl reload -D /path/to/data/directory

Do not leave trust in place permanently. Anyone with local access to the machine could connect as postgres.

PGPASSWORD environment variable

For scripting and automation, you can pass a password via the PGPASSWORD environment variable:

PGPASSWORD=yourpassword psql -U postgres -h localhost -d mydb

This works without any interactive prompt. The downside is that the password can appear in process listings (visible with ps aux to other users on the same machine). For production scripts, the ~/.pgpass file is a safer option.

~/.pgpass file

The ~/.pgpass file lets you store passwords for psql and other PostgreSQL tools without exposing them in the environment.

Format:

hostname:port:database:username:password

Example:

localhost:5432:mydb:postgres:yourpassword
*:5432:*:appuser:apppassword

Use * as a wildcard for any field. The file is read top to bottom and the first matching line is used.

Permissions must be set to 0600, or PostgreSQL will ignore the file entirely:

chmod 0600 ~/.pgpass

The ~/.pgpass file is a good choice for developer workstations and CI environments where you need passwordless connections without using trust authentication.

Cloud PostgreSQL

Managed PostgreSQL services (AWS RDS, Supabase, Neon, Google Cloud SQL, and others) always require a password. There is no peer or trust authentication in cloud setups because you are connecting over a network, not a local Unix socket.

When you create a managed database, the provider generates an initial password for the admin user. Store it securely and rotate it on a schedule.

Quick reference

| Task | Command | |------|---------| | Connect as postgres (Linux, peer auth) | sudo -u postgres psql | | Connect as postgres (macOS Homebrew) | psql -U postgres | | Set a password | ALTER USER postgres WITH PASSWORD 'yourpassword'; | | Reload pg_hba.conf (shell) | pg_ctl reload -D /path/to/data | | Reload pg_hba.conf (SQL) | SELECT pg_reload_conf(); | | Pass password for scripting | PGPASSWORD=pw psql -U postgres | | Store password securely | ~/.pgpass with chmod 0600 ~/.pgpass |