Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Why don't people use SCRAM for password authentication?
2 points by thristian on Feb 16, 2016 | hide | past | favorite | 2 comments
Blog-posts about password authentication usually talk about encrypting passwords in your database, with the understanding that the user's password will be sent verbatim to the server (possibly over an encrypted transport). The usual alternative is digest authentication, where the verbatim password doesn't go over the network, but the server needs to store the plaintext password on disk, which is even worse.

However, SCRAM authentication (defined in RFC5802) does not pass a verbatim password over the network, does not require a verbatim password stored on the server, or even an unsalted hash. It seems like it ought to be the best possible authentication scheme for all situations - over plaintext, over TLS, whatever. Why isn't it used more heavily? Why isn't it even mentioned in "how to store passwords" threads?




Some servers do support it as authentication method for various purposes... However, for web the problem remains, even if the password isn't transported on the wire, the user still needs to enter the password on a html/js page provided by the server (which could be compromised anyway).


Not if HTTP Basic Auth is used -- the browser itself will capture the credentials. Shame kids today don't use it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: