[jdev] plaintext passwords hack
stpeter at stpeter.im
Thu Dec 17 10:18:06 CST 2009
On 12/17/09 9:10 AM, Simon Josefsson wrote:
> Peter Saint-Andre <stpeter at stpeter.im> writes:
>> On 12/17/09 6:47 AM, Kurt Zeilenga wrote:
>>> On Dec 17, 2009, at 5:35 AM, Simon Josefsson wrote:
>>>> If you don't store the hashed password for SCRAM, you need to burn
>>>> CPU time for every login to derive the SCRAM hash keys. That
>>>> doesn't scale well.
>>> If you ONLY store the hash keys, you limit which password-based
>>> mechanisms can be used. That might be okay in small enterprise
>>> deployments, but seems quite problematic for large (internet scale)
>>> service providers.
>> Agreed. That's the main reason we won't deploy hashed-only on the
>> backend plus SCRAM-only on the wire at jabber.org.
> So will you 1) not support SCRAM at all, or 2) derive the hash keys from
> the plaintext passwords during authentication, or 3) cache the derived
> hash keys for a user?
I'm not sure yet. Definitely not #1, probably #2, maybe #3.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
More information about the JDev