
Ask HN: Why don't people use SCRAM for password authentication? - thristian
Blog-posts about password authentication usually talk about encrypting passwords in your database, with the understanding that the user&#x27;s password will be sent verbatim to the server (possibly over an encrypted transport). The usual alternative is digest authentication, where the verbatim password doesn&#x27;t go over the network, but the server needs to store the plaintext password on disk, which is even worse.<p>However, SCRAM authentication (defined in RFC5802) does not pass a verbatim password over the network, does not require a verbatim password stored on the server, or even an unsalted hash. It seems like it ought to be the best possible authentication scheme for all situations - over plaintext, over TLS, whatever. Why isn&#x27;t it used more heavily? Why isn&#x27;t it even mentioned in &quot;how to store passwords&quot; threads?
======
Bino
Some servers do support it as authentication method for various purposes...
However, for web the problem remains, even if the password isn't transported
on the wire, the user still needs to enter the password on a html/js page
provided by the server (which could be compromised anyway).

~~~
moonbug
Not if HTTP Basic Auth is used -- the browser itself will capture the
credentials. Shame kids today don't use it.

