On this page
New in version 3.0.
Salted Challenge Response Authentication Mechanism (SCRAM) is the default authentication mechanism for MongoDB. SCRAM is based on the IETF RFC 5802 standard that defines best practices for implementation of challenge-response mechanisms for authenticating users with passwords.
Using SCRAM, MongoDB verifies the supplied user credentials against the user’s name, password and authentication database. The authentication database is the database where the user was created, and together with the user’s name, serves to identify the user.
MongoDB’s implementation of SCRAM uses the SHA-1 hashing function.
MongoDB’s implementation of SCRAM represents an improvement in security over the MongoDB challenge response authentication mechanism, providing:
A tunable work factor (
Per-user random salts rather than server-wide salts,
A cryptographically stronger hash function (
Authentication of the server to the client as well as the client to the server.
After you upgrade a deployment that already has MongoDB Challenge and Response (
MONGODB-CR ) user credentials, if you have not upgraded the authentication schema, you can continue to use
For older versions of drivers that do not support MongoDB 3.0+ features, you will continue to use
For drivers that support MongoDB 3.0+ features (see Driver Compatibility Changes), you can explicitly specify
MONGODB-CRas the authentication mechanism to use
MONGODB-CR. Otherwise, the credentials are temporarily converted to use SCRAM during authentication to provide improved protection from passive eavesdroppers; this temporary conversion does not affect how the credentials are stored.
As of MongoDB 3.6,
MONGODB-CR authentication mechanism is deprecated. If you have not upgraded your
MONGODB-CR authentication schema to SCRAM, see Upgrade to SCRAM.
To use SCRAM, you must upgrade your driver if your current driver version does not support
The minimum driver versions that support
|PHP||ext-mongo 1.6, ext-mongodb 1.0|