[jdev] plaintext passwords hack

Peter Saint-Andre stpeter at stpeter.im
Thu Dec 17 10:18:06 CST 2009

On 12/17/09 9:10 AM, Simon Josefsson wrote:
> Peter Saint-Andre <stpeter at stpeter.im> writes:
>> On 12/17/09 6:47 AM, Kurt Zeilenga wrote:
>>> On Dec 17, 2009, at 5:35 AM, Simon Josefsson wrote:
>>>> If you don't store the hashed password for SCRAM, you need to burn
>>>> CPU time for every login to derive the SCRAM hash keys.  That
>>>> doesn't scale well.
>>> If you ONLY store the hash keys, you limit which password-based
>>> mechanisms can be used.  That might be okay in small enterprise
>>> deployments, but seems quite problematic for large (internet scale)
>>> service providers.
>> Agreed. That's the main reason we won't deploy hashed-only on the
>> backend plus SCRAM-only on the wire at jabber.org.
> So will you 1) not support SCRAM at all, or 2) derive the hash keys from
> the plaintext passwords during authentication, or 3) cache the derived
> hash keys for a user?

I'm not sure yet. Definitely not #1, probably #2, maybe #3.


Peter Saint-Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20091217/7b397e62/attachment.bin>

More information about the JDev mailing list