[jdev] plaintext passwords hack
Simon Josefsson
simon at josefsson.org
Thu Dec 17 10:10:22 CST 2009
Peter Saint-Andre <stpeter at stpeter.im> writes:
> On 12/17/09 6:47 AM, Kurt Zeilenga wrote:
>> On Dec 17, 2009, at 5:35 AM, Simon Josefsson wrote:
>>
>>> If you don't store the hashed password for SCRAM, you need to burn
>>> CPU time for every login to derive the SCRAM hash keys. That
>>> doesn't scale well.
>>
>> If you ONLY store the hash keys, you limit which password-based
>> mechanisms can be used. That might be okay in small enterprise
>> deployments, but seems quite problematic for large (internet scale)
>> service providers.
>
> Agreed. That's the main reason we won't deploy hashed-only on the
> backend plus SCRAM-only on the wire at jabber.org.
So will you 1) not support SCRAM at all, or 2) derive the hash keys from
the plaintext passwords during authentication, or 3) cache the derived
hash keys for a user?
/Simon
More information about the JDev
mailing list