Conference Schedule - PGCon 2020

Protect Your PostgreSQL Passwords: How SCRAM Works and Why You Need It

Date: 2020-05-27
Time: 10:00–10:45
Room: Stream 1
Level: Intermediate

Passwords: they just seem to work. You connect to your PostgreSQL database and you are prompted for your password. You type in the correct character combination, and presto! you're in, safe and sound.

But what if I told you that all was not as it seemed. What if I told you there was a better, safer way to use passwords with PostgreSQL? What if I told you it was imperative that you upgraded, too?

PostgreSQL 10 introduced SCRAM (Salted Challenge Response Authentication Mechanism), introduced in RFC 5802, as a way to securely authenticate passwords. The SCRAM algorithm lets a client and server validate a password without ever sending the password, whether plaintext or a hashed form of it, to each other, using a series of cryptographic methods.

In this talk, we will look at:

  • A history of the evolution of password storage and authentication in PostgreSQL
  • How SCRAM works with a step-by-step deep dive into the algorithm (and convince you why you need to upgrade!)
  • SCRAM channel binding, which helps prevent MITM attacks during authentication
  • How to safely set and modify your passwords, as well as how to upgrade to SCRAM-SHA-256 (which we will do live!)

all of which will be explained by some adorable elephants and hippos!

At the end of this talk, you will understand how SCRAM works, how to ensure your PostgreSQL drivers supports it, how to upgrade your passwords to using SCRAM-SHA-256, and why you want to tell other PostgreSQL password mechanisms to SCRAM!



The following slides have been made available for this session:


Jonathan S. Katz