[jdev] plaintext passwords hack

Simon Josefsson simon at josefsson.org
Thu Dec 17 09:56:21 CST 2009

Kurt Zeilenga <Kurt.Zeilenga at Isode.com> writes:

> On Dec 17, 2009, at 5:35 AM, Simon Josefsson wrote:
>> If you don't store the hashed password for SCRAM, you need to burn CPU
>> time for every login to derive the SCRAM hash keys.  That doesn't scale
>> well.
> If you ONLY store the hash keys, you limit which password-based
> mechanisms can be used.  That might be okay in small enterprise
> deployments, but seems quite problematic for large (internet scale)
> service providers.

Right.  So preferably you would store both (when that is possible).


More information about the JDev mailing list