PGConf NYC 2021 - Get Your Insecure PostgreSQL Passwords to SCRAM! by Jonathan S. Katz

Get Your Insecure PostgreSQL Passwords to SCRAM! by Jonathan S. Katz

Passwords: they just seem to work. You connect to your PostgreSQL database and you are prompted for your password. You type in the correct character combination, and presto! you're in, safe and sound.

But what if I told you that all was not as it seemed, and there was a better way to authenticate with passwords in PostgreSQL?

PostgreSQL 10 introduced SCRAM (Salted Challenge Response Authentication Mechanism), introduced in RFC 5802, as a way to securely authenticate passwords. The SCRAM algorithm lets a client and server validate a password without ever sending the password, whether plaintext or a hashed form of it, to each other, using a series of cryptographic methods.

In this talk, we will look at:

A history of the evolution of password storage and authentication in PostgreSQL
Flaws in each of the legacy PostgreSQL password-based authentication methods
How SCRAM works with a step-by-step deep dive into the algorithm
SCRAM channel binding, which helps prevent MITM attacks during authentication
How to safely set and modify your passwords, as well as how to upgrade to SCRAM-SHA-256 (which we will do live!)
At the end of this talk, you will understand how SCRAM works, how to ensure your PostgreSQL drivers supports it, how to upgrade your passwords to using SCRAM-SHA-256, and why you want to tell other PostgreSQL password mechanisms to SCRAM!