On Dec 17, 2009, at 9:55 AM, Simon Josefsson wrote: > Low iteration counts removes one nice features of SCRAM (mitigating > dictionary attacks on stolen hash databases).
It's only a nice feature if you can take advantage of it. If you need to support multiple password mechanisms, each either their own hashed password, you'd end up storing each. And then the attacker need only attack the weakest. And with need to service providers to support DIGEST-MD5 and CRAM-MD5, to the most popular password-based mechanisms, the weakest is not much stronger than cleartext. > It is possible to get the > features back, without the high iteration cost, by using SRP though. > (But obviously SRP has other pros and cons..) _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
