28P01FATALTier 2 — Caution✅ HIGH confidenceinvalid password
What this means
SQLSTATE 28P01 is a Postgres-specific error raised when password authentication fails — the supplied password does not match the stored credential for the connecting role. It is the authentication-phase counterpart to 28000.
Why it happens
- 1Incorrect password supplied in the connection string
- 2Password changed on the server but not updated in the application configuration
- 3Connecting with the wrong username (where passwords differ by role)
How to reproduce
Connection attempt with a wrong password.
-- psql connection with wrong password:
-- psql -U myapp -d mydb -WFix 1: Verify and update the password in the application configuration
When the application receives 28P01.
-- Rotate the password if it was changed:
ALTER ROLE myapp PASSWORD 'new_secure_password';Why this works
Update the connection string in the application with the correct current password, then restart the application to reload the credentials.
Fix 2: Use a secrets manager to avoid hardcoded credentials
In production environments.
Why this works
Store database credentials in a secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.) and have the application fetch them at runtime to avoid stale password issues.
What not to do
Log the password for debugging 28P01
Why it's wrong: Logging passwords creates a security vulnerability.
Sources
📚 Official docs: https://www.postgresql.org/docs/current/errcodes-appendix.html
🔧 Source ref: Class 28 — Invalid Authorization Specification (Postgres-specific)
Confidence assessment
✅ HIGH confidence
Postgres-specific. Stable across all versions.
See also
📄 Reference pages