Technical Advisory 97932

On this page Carat arrow pointing down

Publication date: March 29, 2023

Description

Starting in CockroachDB v22.2.0 and above, CockroachDB switched to using the SCRAM protocol for password authentication by default. The SCRAM protocol dictates that the password hash is computed on the client side and sent to the server instead of sending a cleartext password. After testing we determined the optimal default hash cost (iteration count) to be 119680. However, this default hashing cost was high for certain clients running on a limited amount of CPU, which resulted in higher than normal connection latency after upgrading to CockroachDB v22.2.0 and above.

Statement

This is resolved in CockroachDB by PR 98254, which sets the default hash cost value to 10610 using the cluster setting server.user_login.password_hashes.default_cost.scram_sha_256. This fix has been released in 22.2.7.

The public issue is tracked by 97932.

Mitigation

Users of CockroachDB v22.2.0 to v22.2.6, should set the value of the cluster setting server.user_login.password_hashes.default_cost.scram_sha_256 to 10610. You will also need to run ALTER USER ... WITH PASSWORD for every user in order to recompute the hash using the lower cost of 10610.

Alternatively, if your application is unaffected or you are not experiencing an increase in connection latency, the 22.2.7 release of CockroachDB will include the lower default hashing cost. This will be applied automatically during the upgrade without any user intervention.

Impact

Customers upgrading their CockroachDB versions to 22.2.0 and above may see an increase in connection latency after upgrade. Versions affected include all versions of CockroachDB v22.2.0 to v22.2.6.

Questions about any technical alert can be directed to our support team.


Yes No
On this page

Yes No