The number of computational iterations to be performed when encrypting a password using SCRAM-SHA-256.
At a glance
| Property | Value |
|---|---|
| Parameter | scram_iterations |
| Category | Connections and Authentication |
| Default | 4096 |
| Value type | integer |
| Change scope | Per-session (SET) |
| Available in | PostgreSQL 16, 17, 18, 19 (added in 16) |
What it does
The number of computational iterations to be performed when encrypting a password using SCRAM-SHA-256. The default is 4096. A higher number of iterations provides additional protection against brute-force attacks on stored passwords, but makes authentication slower. Changing the value has no effect on existing passwords encrypted with SCRAM-SHA-256 as the iteration count is fixed at the time of encryption. In order to make use of a changed value, a new password must be set.
(Description quoted from the official PostgreSQL documentation.)
How to apply a change
Can be set per session with SET, per role/database with ALTER ROLE/DATABASE ... SET, or globally in postgresql.conf.
Inspect the current value and source with SHOW scram_iterations; or SELECT name, setting, unit, context, source FROM pg_settings WHERE name = 'scram_iterations';.
Tuning guidance
Raise it to harden SCRAM password hashing against brute force at a small login-time CPU cost; the default is a sound balance. Changes apply to passwords set after the change.