
The SCRAM Authentication Protocol - cleeus
https://www.cleeus.de/w/blog/2018/02/13/The_SCRAM_Authentication_Protocol.html
======
davecridland
Nice write-up of it, though I disagree that you can (or should) "recover" from
a database breach in that way. If you detect a database breach, it's likely
considerably after the event, and you should enforce password changes (and
TOTP resyncs).

Also, there's no mention of Channel Binding, which adds considerable
protection to MITM attacks aimed at obtaining the ClientProof off the wire.

