diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
index 629e51e00b..a723e8219a 100644
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -121,6 +121,19 @@ encrypt_password(PasswordType target_type, const char *role,
 
 	if (guessed_type != PASSWORD_TYPE_PLAINTEXT)
 	{
+		/*
+		 * Valid SCRAM-SHA-256 hashes can have very long "iterations" and
+		 * "salt" fields, but we don't want to store anything that might get
+		 * TOASTed, since de-TOASTing won't work during authentication because
+		 * we haven't selected a database yet and cannot read pg_class.  256
+		 * bytes should be more than enough for all practical use, so fail for
+		 * anything longer.
+		 */
+		if (guessed_type == PASSWORD_TYPE_SCRAM_SHA_256 &&
+			strlen(password) > 256)
+			ereport(ERROR,
+					(errmsg("SCRAM-SHA-256 hash is too long")));
+
 		/*
 		 * Cannot convert an already-encrypted password from one format to
 		 * another, so return it as it is.