On 12/17/09 6:47 AM, Kurt Zeilenga wrote: > On Dec 17, 2009, at 5:35 AM, Simon Josefsson wrote: > >> If you don't store the hashed password for SCRAM, you need to burn >> CPU time for every login to derive the SCRAM hash keys. That >> doesn't scale well. > > If you ONLY store the hash keys, you limit which password-based > mechanisms can be used. That might be okay in small enterprise > deployments, but seems quite problematic for large (internet scale) > service providers.
Agreed. That's the main reason we won't deploy hashed-only on the backend plus SCRAM-only on the wire at jabber.org. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
