183
edits
m (Make some language gender neutral) |
(Tweak some language around hashes to keep the title short and fix some misconceptions about old hashing mechanisms (which are entirely broken)) |
||
Line 118: | Line 118: | ||
== Implement SCRAM | == Implement PLAIN and SCRAM == | ||
=== Description === | === Description === | ||
Line 128: | Line 128: | ||
=== Rationale === | === Rationale === | ||
Hashing and salting passwords helps making it hard to retrieve the plain password from a compromised server. However, we would also like to be able to protect the password while it is in transit. These two concepts are difficult to combine: DIGEST-MD5 and CRAM-MD5 | Hashing and salting passwords helps making it hard to retrieve the plain password from a compromised server. However, we would also like to be able to protect the password while it is in transit. These two concepts are difficult to combine: DIGEST-MD5 and CRAM-MD5 do not protect the password in transit or at rest – the mechanisms can't work if the server wants to store the password hashed and salted. SCRAM protects the password both in flight and at rest. | ||
PLAIN is a widely used fallback that is still useful for servers that store their passwords hashed differently than required by SCRAM. | |||
See [[SASL and SCRAM]] for help with implementing SCRAM | See [[SASL and SCRAM]] for help with implementing SCRAM. |
edits