[jdev] plaintext passwords hack
Peter Saint-Andre
stpeter at stpeter.im
Thu Dec 17 10:18:06 CST 2009
On 12/17/09 9:10 AM, Simon Josefsson wrote:
> Peter Saint-Andre <stpeter at stpeter.im> writes:
>
>> On 12/17/09 6:47 AM, Kurt Zeilenga wrote:
>>> On Dec 17, 2009, at 5:35 AM, Simon Josefsson wrote:
>>>
>>>> If you don't store the hashed password for SCRAM, you need to burn
>>>> CPU time for every login to derive the SCRAM hash keys. That
>>>> doesn't scale well.
>>> If you ONLY store the hash keys, you limit which password-based
>>> mechanisms can be used. That might be okay in small enterprise
>>> deployments, but seems quite problematic for large (internet scale)
>>> service providers.
>> Agreed. That's the main reason we won't deploy hashed-only on the
>> backend plus SCRAM-only on the wire at jabber.org.
>
> So will you 1) not support SCRAM at all, or 2) derive the hash keys from
> the plaintext passwords during authentication, or 3) cache the derived
> hash keys for a user?
I'm not sure yet. Definitely not #1, probably #2, maybe #3.
Peter
--
Peter Saint-Andre
https://stpeter.im/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://www.jabber.org/jdev/attachments/20091217/7b397e62/attachment.bin>
More information about the JDev
mailing list