[jdev] plaintext passwords hack
Peter Saint-Andre
stpeter at stpeter.im
Thu Dec 17 09:39:48 CST 2009
On 12/17/09 6:47 AM, Kurt Zeilenga wrote:
> On Dec 17, 2009, at 5:35 AM, Simon Josefsson wrote:
>
>> If you don't store the hashed password for SCRAM, you need to burn
>> CPU time for every login to derive the SCRAM hash keys. That
>> doesn't scale well.
>
> If you ONLY store the hash keys, you limit which password-based
> mechanisms can be used. That might be okay in small enterprise
> deployments, but seems quite problematic for large (internet scale)
> service providers.
Agreed. That's the main reason we won't deploy hashed-only on the
backend plus SCRAM-only on the wire at jabber.org.
Peter
--
Peter Saint-Andre
https://stpeter.im/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://www.jabber.org/jdev/attachments/20091217/c261b723/attachment.bin>
More information about the JDev
mailing list