Tomasz Sterna <[email protected]> writes: > Dnia 2009-12-17, czw o godzinie 14:35 +0100, Simon Josefsson pisze: >> If you don't store the hashed password for SCRAM, you need to burn CPU >> time for every login to derive the SCRAM hash keys. That doesn't scale >> well. > > Why do you say so? > > It scales well vertically by CPU upgrade, and horizontally by putting > more machines/CPUs to handle user connections.
Sure, but caching the hashed values scales better. Remember, we are not talking about just one hash call, typically there is 4096 hash iterations when deriving the keys from a password in SCRAM. If you do want to hash the password on every authentication with SCRAM, make sure you use the same salt and iteration count every time, otherwise clients cannot cache ClientKey&ServerKey (or SaltedPassword) which will cause performance problems for mobile devices... ...unless you use a very low iteration count value (e.g., 1). Is that what you are suggesting? /Simon _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
