Get Your Insecure PostgreSQL Passwords to SCRAM - Secure Authentication Methods

Explore the evolution and security of PostgreSQL password authentication in this comprehensive conference talk. Delve into the history of password storage methods, examining flaws in legacy authentication systems. Learn about SCRAM (Salted Challenge Response Authentication Mechanism) introduced in PostgreSQL 10, understanding its step-by-step algorithm and benefits. Discover how to implement SCRAM-SHA-256, prevent man-in-the-middle attacks through channel binding, and safely upgrade existing passwords. Gain insights into ensuring PostgreSQL driver compatibility with SCRAM and why it's crucial to transition from older password mechanisms for enhanced database security.

Intro
aka "A Tale of Two Hippos"
Guest Starring Blue Elephant
How Do Passwords Work in PostgreSQL?
PostgreSQL Plaintext Passwords
Plaintext Password Authentication Flow
Transport Layer Security
PostgreSQL MD5 Password Authentication
MD5 Authentication Flow
Salted Challenge Response Authentication Mechanism
Creating a Password For SCRAM
Building a SCRAM Secret - DIGEST
Building a SCRAM Secret - ITERATIONS
Building a SCRAM Secret - SASLPrep the Password
Building a SCRAM Secret - Generate the Salted Password
Building a SCRAM Secret - SERVER KEY
Building a SCRAM Secret - "Easy Button"
SCRAM Authentication Flow: Generating Proof
Recall: Client Key
Client Signature
SCRAM Authentication Flow: Server Verification
Server Signature
SCRAM Authentication Flow: Client Verification
Case #1: Server "Claims" To Know Secret
Case #2: Elephant-in-the-Middle Attack
Channel Binding
Upgrading to SCRAM
Driver Support for SCRAM