If you're using PgBouncer as a connection pooler in front of PostgreSQL 15+ (including 18+), you may hit this frustrating error in your logs or in your client apps (DBeaver, psql, applications):
FATAL: server login failed: wrong password type
This issue usually appears after upgrading PostgreSQL or when deploying PgBouncer in Docker with the default configuration.
The good news?
It’s not actually a bug — it’s a password hash mismatch.
Let’s walk through the root cause and the cleanest fix.
âť— Why this error happens
PostgreSQL 14 and later default to SCRAM-SHA-256 passwords:
SHOW password_encryption;
-- scram-sha-256
Meanwhile, PgBouncer traditionally expected MD5 hashes in its userlist.txt.
When PgBouncer reads an MD5 hash but the actual PostgreSQL user is stored as SCRAM, authentication fails with:
wrong password type
This happens because PgBouncer tries to forward the MD5-based password to PostgreSQL, but PostgreSQL rejects it — the hash formats don’t match.
🔍 Signs you are affected
- PgBouncer logs show:
FATAL: server login failed: wrong password type
- DBeaver or your app says:
password authentication failed
-
You are running:
- PostgreSQL 14, 15, 16, 17, or 18+
- Any Dockerized PgBouncer setup (edoburu, bitnami, cloudnative-pg, icoretech, etc.)
✅ The Correct Fix: Use SCRAM hashes inside PgBouncer’s userlist.txt
PgBouncer can authenticate using SCRAM — you just have to give it the actual SCRAM hashes from PostgreSQL.
Step 1 — Get the SCRAM hash from PostgreSQL
Run as a superuser:
SELECT rolpassword
FROM pg_authid
WHERE rolname = 'myappuser';
This returns something like:
SCRAM-SHA-256$4096:kafj2....==$storedkey:$serverkey
Copy the ENTIRE line.
Step 2 — Update PgBouncer’s userlist.txt
Open your local file:
pgbouncer/userlist.txt
Replace or add:
"myappuser" "SCRAM-SHA-256$4096:xxxxxxxxxx==$storedkey:$serverkey"
⚠️ Notes:
- Quotes are mandatory.
- No extra whitespace.
- One user per line.
Step 3 — Restart PgBouncer
PgBouncer must reload after editing userlist.txt.
For Docker Compose:
docker compose restart pgbouncer
Or with the admin console:
psql -h localhost -p 6432 pgbouncer -c "RELOAD"
🧪 Step 4 — Test the connection
If it works, PgBouncer logs won’t show the error anymore and DBeaver / your app will connect normally.
🛑 Alternative (NOT recommended): Downgrade PostgreSQL to MD5
You may see this workaround online:
- Set
password_encryption = md5 - Reset user passwords
- Put MD5 hashes in
userlist.txt
That works but reduces security and breaks alignment with modern PostgreSQL defaults.
Use SCRAM unless you have a legacy requirement.
🧩 Final Working Example
userlist.txt
"postgres" "SCRAM-SHA-256$4096:abcd123...$storedkey:$serverkey"
"myappuser" "SCRAM-SHA-256$4096:efgh456...$storedkey:$serverkey"
pgbouncer.ini snippet
auth_type = scram-sha-256
auth_file = /etc/pgbouncer/userlist.txt
🎉 Conclusion
The wrong password type error is simply a mismatch between:
- PostgreSQL’s real password hash (SCRAM)
- PgBouncer’s expected password entry (MD5 or SCRAM)
Fixing the issue is just a matter of:
- Reading the real SCRAM hash from Postgres
- Using it in PgBouncer’s
userlist.txt - Restarting PgBouncer
Once aligned, PgBouncer works perfectly with PostgreSQL 14–18+.
If you want, I can also write:
âś… a downloadable example project (docker-compose + configs)
âś… an image diagram explaining the flow
âś… a troubleshooting checklist section
Just tell me!
Top comments (0)