[jdev] plaintext passwords hack
Simon Josefsson
simon at josefsson.org
Thu Dec 17 09:56:21 CST 2009
Kurt Zeilenga <Kurt.Zeilenga at Isode.com> writes:
> On Dec 17, 2009, at 5:35 AM, Simon Josefsson wrote:
>
>> If you don't store the hashed password for SCRAM, you need to burn CPU
>> time for every login to derive the SCRAM hash keys. That doesn't scale
>> well.
>
> If you ONLY store the hash keys, you limit which password-based
> mechanisms can be used. That might be okay in small enterprise
> deployments, but seems quite problematic for large (internet scale)
> service providers.
Right. So preferably you would store both (when that is possible).
/Simon
More information about the JDev
mailing list