PGConf NYC 2021 - Get Your Insecure PostgreSQL Passwords to SCRAM! by Jonathan S. Katz

Channel:
United States Confreaks
Subscribers:
42,400
Published on ● Video Link: https://www.youtube.com/watch?v=LlcoGro5IU8


Duration: 55:09
19 views
0

Get Your Insecure PostgreSQL Passwords to SCRAM! by Jonathan S. Katz

Passwords: they just seem to work. You connect to your PostgreSQL database and you are prompted for your password. You type in the correct character combination, and presto! you're in, safe and sound.

But what if I told you that all was not as it seemed, and there was a better way to authenticate with passwords in PostgreSQL?

PostgreSQL 10 introduced SCRAM (Salted Challenge Response Authentication Mechanism), introduced in RFC 5802, as a way to securely authenticate passwords. The SCRAM algorithm lets a client and server validate a password without ever sending the password, whether plaintext or a hashed form of it, to each other, using a series of cryptographic methods.

In this talk, we will look at:

A history of the evolution of password storage and authentication in PostgreSQL
Flaws in each of the legacy PostgreSQL password-based authentication methods
How SCRAM works with a step-by-step deep dive into the algorithm
SCRAM channel binding, which helps prevent MITM attacks during authentication
How to safely set and modify your passwords, as well as how to upgrade to SCRAM-SHA-256 (which we will do live!)
At the end of this talk, you will understand how SCRAM works, how to ensure your PostgreSQL drivers supports it, how to upgrade your passwords to using SCRAM-SHA-256, and why you want to tell other PostgreSQL password mechanisms to SCRAM!



Other Videos By Confreaks


2022-10-12PGConf NYC 2021 - Advanced Postgres Schema Design... by Sehrope Sarkuni
2022-10-12PGConf NYC 2021 - A look at the Elephants Trunk: PostgreSQL 14 by Magnus Hagander
2022-10-12PGConf NYC 2021 - So You Inherited A Database by Corey Huinker
2022-10-12PGConf NYC 2021 - Row Level Security Explained by Stephen Frost
2022-10-12PGConf NYC 2021 - Advanced Int - Bigint Conversions by Robert Treat
2022-10-12PGConf NYC 2021 - Identifying Slow Queries and Fixing Them! by Stephen Frost
2022-10-12PGConf NYC 2021 - PostgreSQL Query Performance Insights by Hamid Quddus Akhtar
2022-10-12PGConf NYC 2021 - Advanced Data Types in PostgreSQL by Andreas Scherbaum
2022-10-12PGConf NYC 2021 - NORM: No ORM Framework by Henrietta Dombrovskaya
2022-10-12PGConf NYC 2021 - Speaking and Community Involvement for the Introvert by Pat Wright
2022-10-12PGConf NYC 2021 - Get Your Insecure PostgreSQL Passwords to SCRAM! by Jonathan S. Katz
2022-10-12PGConf NYC 2021 - NORM: No ORM Framework by Henrietta Dombrovskaya
2022-10-12PGConf NYC 2021 - Navigate Postgres Cloud Paths: Kubernetes, IaaS, or DbaaS by Marc Linster
2022-10-12PGConf NYC 2021 - How we made PG Fitter, Happier, More Productive by Andrew Atkinson
2022-10-12PGConf NYC 2021 - War Stories: Fighting the PostreSQL Support Trenches by Hans Jurgen
2022-10-12PGConf NYC 2021 - Flexible Indexing with Postgres by Bruce Momjian
2022-10-12PGConf NYC 2021 - How PostgreSQL aggregates work and how to create and use custom... by David Kohn
2022-10-12PGConf NYC 2021 - A Deep Dive into PostgreSQL Indexing by Ibrar Ahmed
2022-10-12PGConf NYC 2021 - PostgreSQL sharding, state of the art by Julien Tachoires
2022-10-12PGConf NYC 2021 - Teaching elephants to fish by Ryan Booz
2022-10-12PGConf NYC 2021 - Migration validation made easy with Ora2Pg by Gilles Darold


Tags:
PostgreSQL
PGConf
Postgres