[SERVER-15295] Don't fail SCRAM-SHA-1 auth on the first response for invalid user Created: 17/Sep/14 Updated: 14/Oct/18 Resolved: 14/Sep/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.7.6 |
| Fix Version/s: | None |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Andreas Nilsson | Assignee: | Spencer Jackson |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Comments |
| Comment by Spencer Jackson [ 14/Sep/18 ] |
|
In the first step of a SCRAM authentication session, a client sends the name of a user it to the server. The server replies with information about the user which the client must use to process the plaintext password that it knows into credentials that may be used in subsequent steps. This per-user information includes both a salt and an iteration count. The iteration count is a work factor, that can be dialed up to make brute forcing passwords harder. The salt is a defense against rainbow attacks on persisted credentials. |