Hm yes you are right, never thought that through as it seems. But does it really help not saving the pass on the client, what do i save instead? the challenge i send? if this is aquired by an attacker he can still access my account.
regards Am Do., 24. Jan. 2019 um 16:01 Uhr schrieb Sam Whited <s...@samwhited.com>: > On Thu, Jan 24, 2019, at 15:55, Philipp Hörist wrote: > > SCRAM is not a mechanism to hide the password from the server > > operator. Its a mechanism to make it possible for the server operator > > to NOT store the password after getting it. > > This is also easily accomplished with PLAIN. PLAIN also makes upgrading > the password storage mechanism much more agile so it's probably safer > for most use cases. > > That being said, it does require that you store the password on the > client (unless you want the user to enter it every time), so I see that > as the primary benefit of using SCRAM, not stopping the server operator > from having to store it. > > —Sam > _______________________________________________ > Standards mailing list > Info: https://mail.jabber.org/mailman/listinfo/standards > Unsubscribe: standards-unsubscr...@xmpp.org > _______________________________________________ >
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
