On Fri, Jan 25, 2019, at 12:08, Evgeny wrote: > We already have "avalanche problem" caused by server restarts, and > SASL PLAIN + SCRAM'ed passwords only worsen it. Also, if an attacker > harvests enough JIDs it may successfully perform DDoS against the > server forcing it to compute HMACs at a high rate.
This isn't a problem with SCRAM specifically; if you're doing password storage right (eg. using PLAIN then hashing), you should have fairly high CPU and memory pressure. The answer isn't to start storing passwords in plain text, or use a faster hash (which would defeat the purpose of using something like Argon2, PBKDF.2, or bcrypt in the first place), it's to limit the rate of logins to something your server can handle. —Sam _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
