1. 4
  1. 7

    The author is confused by the distinction between the SASL framework for authentication and one of the authentication mechanisms available in SASL. They are describing a salted mechanism (referring to the SASL SCRAM RFC so probably SCRAM, but I haven’t double-checked in detail) and presenting it as being SASL.

    1. 1

      Actually, I wrote my learning on reading the SASL code on the rust postgres driver. https://github.com/sfackler/rust-postgres/blob/master/postgres-protocol/src/authentication/sasl.rs

      Probably, I’m wrong. Let me verify and correct it.

      1. 5

        Yep your right.

        Love this community. I’ll correct it.

    2. 2

      SCRAM is nice in that it allows storage of hashed credentials on both the client and the server side, the Expensive PBKDF2 password only needs to be done once. It is also very efficient for the server to authenticate using the stored hashes, only involving a handful of hash function invocations.

      Downsides include difficulty of upgrading the hash function, since there are now several variants of SCRAM in circulation, tho this could be attributed to SASL itself missing a good way to signal the need to upgrade.

      SCRAM is used extensively in XMPP.