[SERVER-15295] Don't fail SCRAM-SHA-1 auth on the first response for invalid user Created: 17/Sep/14  Updated: 14/Oct/18  Resolved: 14/Sep/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.7.6
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Andreas Nilsson Assignee: Spencer Jackson
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Tested
Participants:

 Comments   
Comment by Spencer Jackson [ 14/Sep/18 ]

In the first step of a SCRAM authentication session, a client sends the name of a user it to the server. The server replies with information about the user which the client must use to process the plaintext password that it knows into credentials that may be used in subsequent steps. This per-user information includes both a salt and an iteration count. The iteration count is a work factor, that can be dialed up to make brute forcing passwords harder. The salt is a defense against rainbow attacks on persisted credentials.

Generated at Thu Feb 08 03:37:37 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.