Hacker News new | comments | ask | show | jobs | submit login
The SCRAM Authentication Protocol (cleeus.de)
4 points by cleeus on Feb 14, 2018 | hide | past | web | favorite | 1 comment



Nice write-up of it, though I disagree that you can (or should) "recover" from a database breach in that way. If you detect a database breach, it's likely considerably after the event, and you should enforce password changes (and TOTP resyncs).

Also, there's no mention of Channel Binding, which adds considerable protection to MITM attacks aimed at obtaining the ClientProof off the wire.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: