[jdev] plaintext passwords hack

[Kurt Zeilenga]

On Dec 17, 2009, at 5:35 AM, Simon Josefsson wrote:

> If you don't store the hashed password for SCRAM, you need to burn CPU
> time for every login to derive the SCRAM hash keys.  That doesn't scale
> well.

If you ONLY store the hash keys, you limit which password-based mechanisms can be used.  That might be okay in small enterprise deployments, but seems quite problematic for large (internet scale) service providers.

-- Kurt