diff --git a/Cargo.lock b/Cargo.lock
index 4cceb05d3c..8ef2a6be00 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2654,16 +2654,6 @@ dependencies = [
  "windows-sys 0.45.0",
 ]
 
-[[package]]
-name = "pbkdf2"
-version = "0.12.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f0ca0b5a68607598bf3bad68f32227a8164f6254833f84eafaac409cd6746c31"
-dependencies = [
- "digest",
- "hmac",
-]
-
 [[package]]
 name = "peeking_take_while"
 version = "0.1.2"
@@ -3057,7 +3047,6 @@ dependencies = [
  "once_cell",
  "opentelemetry",
  "parking_lot 0.12.1",
- "pbkdf2",
  "pin-project-lite",
  "postgres-native-tls",
  "postgres-protocol",
diff --git a/Cargo.toml b/Cargo.toml
index a0acc061fb..ba61f72a2b 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -88,7 +88,6 @@ opentelemetry = "0.19.0"
 opentelemetry-otlp = { version = "0.12.0", default_features=false, features = ["http-proto", "trace", "http", "reqwest-client"] }
 opentelemetry-semantic-conventions = "0.11.0"
 parking_lot = "0.12"
-pbkdf2 = "0.12.1"
 pin-project-lite = "0.2"
 prometheus = {version = "0.13", default_features=false, features = ["process"]} # removes protobuf dependency
 prost = "0.11"
diff --git a/proxy/Cargo.toml b/proxy/Cargo.toml
index 7af1098f43..dfd2336f73 100644
--- a/proxy/Cargo.toml
+++ b/proxy/Cargo.toml
@@ -29,7 +29,6 @@ metrics.workspace = true
 once_cell.workspace = true
 opentelemetry.workspace = true
 parking_lot.workspace = true
-pbkdf2.workspace = true
 pin-project-lite.workspace = true
 postgres_backend.workspace = true
 postgres-protocol.workspace = true
diff --git a/proxy/src/scram.rs b/proxy/src/scram.rs
index db3f51370d..ab853519bb 100644
--- a/proxy/src/scram.rs
+++ b/proxy/src/scram.rs
@@ -54,6 +54,8 @@ fn sha256<'a>(parts: impl IntoIterator<Item = &'a [u8]>) -> [u8; 32] {
 
 #[cfg(test)]
 mod tests {
+    use postgres_protocol::authentication::sasl::{ChannelBinding, ScramSha256};
+
     use crate::sasl::{Mechanism, Step};
 
     use super::{Exchange, ServerSecret};
@@ -104,4 +106,40 @@ mod tests {
             ]
         );
     }
+
+    fn run_round_trip_test(client_password: &str) {
+        let secret = ServerSecret::build("pencil").unwrap();
+        let mut exchange = Exchange::new(&secret, rand::random, None);
+
+        let mut client =
+            ScramSha256::new(client_password.as_bytes(), ChannelBinding::unsupported());
+
+        let client_first = std::str::from_utf8(client.message()).unwrap();
+        exchange = match exchange.exchange(client_first).unwrap() {
+            Step::Continue(exchange, message) => {
+                client.update(message.as_bytes()).unwrap();
+                exchange
+            }
+            Step::Success(_, _) => panic!("expected continue, got success"),
+            Step::Failure(f) => panic!("{f}"),
+        };
+
+        let client_final = std::str::from_utf8(client.message()).unwrap();
+        match exchange.exchange(client_final).unwrap() {
+            Step::Success(_, message) => client.finish(message.as_bytes()).unwrap(),
+            Step::Continue(_, _) => panic!("expected success, got continue"),
+            Step::Failure(f) => panic!("{f}"),
+        };
+    }
+
+    #[test]
+    fn round_trip() {
+        run_round_trip_test("pencil")
+    }
+
+    #[test]
+    #[should_panic(expected = "password doesn't match")]
+    fn failure() {
+        run_round_trip_test("eraser")
+    }
 }