SCRAM
On this page
Note
Starting in version 4.0, MongoDB removes support for the deprecated
MongoDB Challenge-Response (MONGODB-CR
) authentication mechanism.
If your deployment has user credentials stored in MONGODB-CR
schema, you must upgrade to SCRAM before you upgrade to version
4.0.
Salted Challenge Response Authentication Mechanism (SCRAM) is the default authentication mechanism for MongoDB. SCRAM is based on the IETF RFC 5802 standard that defines best practices for implementation of challenge-response mechanisms for authenticating users with passwords.
Using SCRAM, MongoDB verifies the supplied user credentials against the
user's name
, password
and authentication database
. The authentication database is the database
where the user was created, and together with the user's name, serves
to identify the user.
Features
MongoDB's implementation of SCRAM provides:
A tunable work factor (i.e. the iteration count),
Per-user random salts, and
Authentication of the server to the client as well as the client to the server.
SCRAM Mechanisms
MongoDB supports the following SCRAM mechanisms:
SCRAM Mechanism | Description |
---|---|
SCRAM-SHA-1 | Uses the SHA-1 hashing function. To modify the iteration count for |
SCRAM-SHA-256 | Uses the SHA-256 hashing function and requires
featureCompatibilityVersion ( To modify the iteration count for |
When you create or update a SCRAM user, you can indicate:
the SCRAM mechanism to use
whether the server or the client digests the password
When you use SCRAM-SHA-256
, MongoDB requires server-side password
hashing, which means that the server digests the password. For more
information, see db.createUser()
and
db.updateUser()
.
Driver Support
To use SCRAM, you must upgrade your driver if your current driver
version does not support SCRAM
.
The minimum driver versions that support SCRAM
are:
Additional Information
If you use SCRAM-SHA-1:
md5 is necessary but is not used for cryptographic purposes, and
if you use FIPS mode, then instead of SCRAM-SHA-1 use: