[jboss-jira] [JBoss JIRA] (ELY-183) Protocols for password changing

[ https://issues.jboss.org/browse/ELY-183?page=com.atlassian.jira.plugin.sy... ] Jan Kalina edited comment on ELY-183 at 8/12/15 10:49 AM: ---------------------------------------------------------- Ok, second idea (but not compatible with standard auth mechanism) - based on OTP priciple: Clients sends server hash with 1000 iterations. Server store this hash. When client want to login, server ask for hash of the same password with 999 iterations. When clients send it, server add 1 iteration to hash from client and compare output with stored hash - both should now be 1000 iterations hash of the same original string (password or user+realm+password). Bad news: Scram SASL mechanism not allow it - nobody can add iteration into scram password without original string... :( was (Author: honza889): Ok, second idea (but not compatible with standard auth mechanism) - based on OTP priciple: Clients sends server hash with 1000 iterations. Server store this hash. When client want to login, server ask for hash of the same password with 999 iterations. When clients send it, server add 1 iteration to hash from client and compare output with stored hash - both should now be 1000 iterations hash of the same original string (password or user+realm+password). Bad news: Scram SASL mechanism not allow it - nobody can add iteration without original string... :( -- This message was sent by Atlassian JIRA (v6.3.15#6346)