Skip to content

Instantly share code, notes, and snippets.

@synopse
Created November 4, 2025 09:31
Show Gist options
  • Select an option

  • Save synopse/5a3ea82d39ea44bb0d926f1f3da583c6 to your computer and use it in GitHub Desktop.

Select an option

Save synopse/5a3ea82d39ea44bb0d926f1f3da583c6 to your computer and use it in GitHub Desktop.
with mongodb, can I connect using SCRAM-SHA-256 to a user created with SCRAM-SHA-1 digest?

No, you cannot connect to MongoDB using SCRAM-SHA-256 authentication for a user that was explicitly created with only the SCRAM-SHA-1 mechanism (i.e., specifying mechanisms: ["SCRAM-SHA-1"] in db.createUser()).

Here's why:

  • When creating a user, the mechanisms field determines which SCRAM variants' credentials are stored for that user. SCRAM-SHA-1 and SCRAM-SHA-256 are distinct: the former uses SHA-1 hashing, while the latter uses SHA-256 and requires server-side password digestion (passwordDigestor: "server").
  • If only SCRAM-SHA-1 is specified, the server stores only the corresponding salted password verifier for that mechanism. Attempting SCRAM-SHA-256 authentication will fail because the server lacks the SHA-256 credentials for the user.
  • By default (without specifying mechanisms), MongoDB creates users with both SCRAM-SHA-1 and SCRAM-SHA-256 credentials, allowing clients to authenticate using either. You can also explicitly add both via mechanisms: ["SCRAM-SHA-1", "SCRAM-SHA-256"].

To enable SCRAM-SHA-256 for an existing SCRAM-SHA-1 user, use db.updateUser() to add the mechanism (this requires knowing the plaintext password to re-derive the SHA-256 verifier). For example:

db.updateUser(
  "username",
  {
    pwd: "password",
    mechanisms: ["SCRAM-SHA-1", "SCRAM-SHA-256"],
    passwordDigestor: "server"
  }
)

This upgrades the user to support both without disrupting existing SHA-1 connections. Ensure your MongoDB version is 4.0+ and featureCompatibilityVersion is at least 4.0 for SHA-256 support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment