Peter Saint-Andre <stpe...@stpeter.im> writes: >>> Agreed. That's the main reason we won't deploy hashed-only on the >>> backend plus SCRAM-only on the wire at jabber.org. >> >> So will you 1) not support SCRAM at all, or 2) derive the hash keys from >> the plaintext passwords during authentication, or 3) cache the derived >> hash keys for a user? > > I'm not sure yet. Definitely not #1, probably #2, maybe #3.
For #2, how many authentications happens per minute? My laptop does around 1.000.000 SHA-1 hashes on small data per second, so using a 4096 iteration count leads to a limit of around 250 authentications per second just counting the hashing. So if you aren't anywhere near that (or can use multiple machines), the delay because of hashing may be irrelevant. However, making sure you use the same salt for each user may be the problematic part in some environments. Otherwise you will cause clients to have to re-compute the keys every time too. /Simon _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
