216
edits
m (Make some language gender neutral) |
Neustradamus (talk | contribs) m |
||
(2 intermediate revisions by one other user not shown) | |||
Line 118: | Line 118: | ||
== Implement SCRAM | == Implement PLAIN and SCRAM == | ||
=== Description === | === Description === | ||
Line 128: | Line 128: | ||
=== Rationale === | === Rationale === | ||
Hashing and salting passwords helps making it hard to retrieve the plain password from a compromised server. However, we would also like to be able to protect the password while it is in transit. These two concepts are difficult to combine: DIGEST-MD5 and CRAM-MD5 | Hashing and salting passwords helps making it hard to retrieve the plain password from a compromised server. However, we would also like to be able to protect the password while it is in transit. These two concepts are difficult to combine: DIGEST-MD5 and CRAM-MD5 do not protect the password in transit or at rest – the mechanisms can't work if the server wants to store the password hashed and salted. SCRAM protects the password both in flight and at rest. | ||
PLAIN is a widely used fallback that is still useful for servers that store their passwords hashed differently than required by SCRAM. | |||
See [[SASL and SCRAM]] for help with implementing SCRAM | See [[SASL Authentication and SCRAM]] for help with implementing SCRAM. | ||
For more detailed and up to date recommendations see [https://xmpp.org/extensions/xep-0438.html XEP-0438: Best practices for password hashing and storage] |
edits