>>>>> "Marco" == Marco Sulla <github@marco.sulla.e4ward.com> writes:
Marco> It seems that SCRAM is hash-agnostic:
Marco> https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism#Protocol_overview
Regardless, SHA256 is the algorithm specified in the current standard
(see RFC 7677), and since the client and server need to agree on this,
we have very strong reasons (as Tom pointed out) not to proliferate
algorithms.
Marco> The significant advance is that is well known that SHA
Marco> algorithms are not good as Bcrypt for password hashing:
Marco> https://rietta.com/blog/bcrypt-not-sha-for-passwords/
This is comparing bcrypt against _one round_ of SHAx, which is not what
SCRAM uses (it uses PBKDF2).
Marco> https://crypto.stackexchange.com/a/46552
This starts out by comparing bcrypt with (unsalted!) SHA-512, but then
does at least go on to mention PBKDF2.
Marco> https://security.stackexchange.com/a/133251/27264
This at least looks like it's comparing the right things.
--
Andrew (irc:RhodiumToad)