diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml
index 53b1c0f4c..91a31d997 100644
--- a/roles/matrix-postgres/defaults/main.yml
+++ b/roles/matrix-postgres/defaults/main.yml
@@ -63,7 +63,16 @@ matrix_postgres_additional_databases: []
 # We either need to not create them or to ignore the `CREATE ROLE` statements in the dump.
 matrix_postgres_import_roles_to_ignore: [matrix_postgres_connection_username]
 
-matrix_postgres_import_roles_ignore_regex: "^CREATE ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }});"
+# When importing an existing Postgres database (when restoring a backup) or when doing a Postgres upgrade (which dumps & restores), we'd like to avoid:
+# - creating users (`CREATE ROLE ..`)
+# - updating passwords for users (`ALTER ROLE matrix WITH SUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS PASSWORD 'md5...`)
+#
+# Both of these operations are done by the playbook anyway.
+# Updating passwords is especially undesirable, because older versions hash passwords using md5 and export them as md5 hashes in the dump file,
+# which is unsupported by default by newer Postgres versions (v14+).
+# When users are created and passwords are set by the playbook, they end up hashed as `scram-sha-256` on Postgres v14+.
+# If an md5-hashed password is restored on top, Postgres v14+ will refuse to authenticate users with it by default.
+matrix_postgres_import_roles_ignore_regex: "^(CREATE|ALTER) ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }})(;| WITH)"
 
 # A list of databases to avoid creating when importing (or upgrading) the database.
 # If a dump file contains the databases and they've also been created beforehand (see `matrix_postgres_additional_databases`),