top | item 16022467

(no title)

xnyhps | 8 years ago

> Legacy protocols such as FTP and IMAP don't have that luxury, though. There's no way to run a password stretching function on the client.

IMAP uses SASL, which can do client-side stretching by using SCRAM-SHA-1. I don't know how common they are, but there must be some servers and clients that support it.

Downside is that upgrading the mechanism becomes hard, and it's difficult to integrate it with an existing user database with hashed passwords.

discuss

No comments yet.