- Security >
- Authentication >
- SCRAM
SCRAM¶
On this page
Salted Challenge Response Authentication Mechanism (SCRAM) is the default authentication mechanism for MongoDB.
When a user authenticates
themselves, MongoDB uses SCRAM to verify the supplied user credentials
against the user’s name,
password and
authentication database.
SCRAM is based on the IETF RFC 5802 standard that defines best practices for the implementation of challenge-response mechanisms for authenticating users with passwords.
Features¶
MongoDB’s implementation of SCRAM provides:
- A tunable work factor (the iteration count)
- Per-user random salts
- Bi-directional authentication between server and client
SCRAM Mechanisms¶
MongoDB supports the following SCRAM mechanisms:
| SCRAM Mechanism | Description |
|---|---|
SCRAM-SHA-1 |
Uses the SHA-1 hashing function. To modify the iteration count for |
SCRAM-SHA-256 |
Uses the SHA-256 hashing function. To modify the iteration count for |
When you create or update a SCRAM user, you can indicate:
- the SCRAM mechanism to use
- whether the server or the client digests the password
When you use SCRAM-SHA-256, MongoDB requires server-side password
hashing, which means that the server digests the password. For more
information, see db.createUser() and
db.updateUser().
Driver Support¶
The minimum driver versions that support SCRAM are:
Additional Information¶
If you use SCRAM-SHA-1:
- md5 is necessary but is not used for cryptographic purposes, and
- if you use FIPS mode, then instead of
SCRAM-SHA-1 use:
- SCRAM-SHA-256,
- Kerberos,
- LDAP, or
- x.509
See also