Hacker News new | past | comments | ask | show | jobs | submit login
The SCRAM Authentication Protocol (cleeus.de)
4 points by cleeus on Feb 14, 2018 | hide | past | favorite | 1 comment

Nice write-up of it, though I disagree that you can (or should) "recover" from a database breach in that way. If you detect a database breach, it's likely considerably after the event, and you should enforce password changes (and TOTP resyncs).

Also, there's no mention of Channel Binding, which adds considerable protection to MITM attacks aimed at obtaining the ClientProof off the wire.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact