Peter Saint-Andre <[email protected]> writes: > On 12/16/09 9:03 AM, Simon Tennant (Buddycloud) wrote: >> I'm curious what the community makes of the recent news >> http://www.techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/ >> given SASL's cleartext password storage? It seems like a monster breech. > > This topic is more appropriate for the [email protected] list, but here > goes anyway... > > We've had these debates for years. And this is not tied to SASL, but if > you want to offer multiple SASL mechanisms (DIGEST-MD5, SCRAM, PLAIN > over TLS, CRAM-MD5, etc.), then I think it's difficult or impossible to > have hashed passwords.
If you don't store the hashed password for SCRAM, you need to burn CPU time for every login to derive the SCRAM hash keys. That doesn't scale well. /Simon _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
