Get Your Insecure PostgreSQL Passwords to SCRAM!


Passwords: they just seem to work. You connect to your PostgreSQL database and you are prompted for your password. You type in the correct character combination, and presto! you're in, safe and sound.

But what if I told you that all was not as it seemed, and there was a better way to authenticate with passwords in PostgreSQL?

PostgreSQL 10 introduced SCRAM (Salted Challenge Response Authentication Mechanism), introduced in RFC 5802, as a way to securely authenticate passwords. The SCRAM algorithm lets a client and server validate a password without ever sending the password, whether plaintext or a hashed form of it, to each other, using a series of cryptographic methods.

In this talk, we will look at:

  • A history of the evolution of password storage and authentication in PostgreSQL
  • Flaws in each of the legacy PostgreSQL password-based authentication methods
  • How SCRAM works with a step-by-step deep dive into the algorithm
  • SCRAM channel binding, which helps prevent MITM attacks during authentication
  • How to safely set and modify your passwords, as well as how to upgrade to SCRAM-SHA-256 (which we will do live!)

At the end of this talk, you will understand how SCRAM works, how to ensure your PostgreSQL drivers supports it, how to upgrade your passwords to using SCRAM-SHA-256, and why you want to tell other PostgreSQL password mechanisms to SCRAM!

Room 105
Thursday, March 5, 2020 - 09:30 to 10:15