diff --git a/src/v/security/scram_algorithm.h b/src/v/security/scram_algorithm.h
index 25c4dfc3f9c2d..bfa631d5f65ba 100644
--- a/src/v/security/scram_algorithm.h
+++ b/src/v/security/scram_algorithm.h
@@ -196,6 +196,8 @@ class scram_algorithm {
     static constexpr int min_iterations = MinIterations;
     static_assert(min_iterations > 0, "Minimum iterations must be positive");
 
+    static constexpr auto key_size = HashType::digest_size;
+
     static bytes client_signature(
       bytes_view stored_key,
       const client_first_message& client_first,
diff --git a/src/v/security/scram_authenticator.cc b/src/v/security/scram_authenticator.cc
index 8333342499277..7247d54f8f20b 100644
--- a/src/v/security/scram_authenticator.cc
+++ b/src/v/security/scram_authenticator.cc
@@ -140,11 +140,15 @@ template class scram_authenticator<scram_sha512>;
 std::optional<std::string_view> validate_scram_credential(
   const scram_credential& cred, const credential_password& password) {
     std::optional<std::string_view> sasl_mechanism;
-    if (security::scram_sha256::validate_password(
-          password, cred.stored_key(), cred.salt(), cred.iterations())) {
+    if (
+      cred.stored_key().size() == security::scram_sha256::key_size
+      && security::scram_sha256::validate_password(
+        password, cred.stored_key(), cred.salt(), cred.iterations())) {
         sasl_mechanism = security::scram_sha256_authenticator::name;
-    } else if (security::scram_sha512::validate_password(
-                 password, cred.stored_key(), cred.salt(), cred.iterations())) {
+    } else if (
+      cred.stored_key().size() == security::scram_sha512::key_size
+      && security::scram_sha512::validate_password(
+        password, cred.stored_key(), cred.salt(), cred.iterations())) {
         sasl_mechanism = security::scram_sha512_authenticator::name;
     }