Am 18.12.2009 02:33, schrieb Kurt Zeilenga:
On Dec 17, 2009, at 9:55 AM, Simon Josefsson wrote:
Low iteration counts removes one nice features of SCRAM (mitigating
dictionary attacks on stolen hash databases).
It's only a nice feature if you can take advantage of it. If you need to
support multiple password mechanisms, each either their own hashed password,
you'd end up storing each. And then the attacker need only attack the weakest.
And with need to service providers to support DIGEST-MD5 and CRAM-MD5, to the
most popular password-based mechanisms, the weakest is not much stronger than
cleartext.
Storing a hash for every mechanism will not work. E.g. for DIGEST-MD5
the server has to hash the clear-text password with a value the client
provides. So the server needs the clear-text password. And if the server
is able to get the clear-text password, everyone with the same rights on
the server can retrieve the clear-text passwords too.
Regards,
Alexander
_______________________________________________
JDev mailing list
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: [email protected]
_______________________________________________
