Send password over TCP connection

[Paul Rubin]

Laszlo Zsolt Nagy <gandalf at designaproduct.biz> writes:
> This is a bit offtopic here. I read the RFC and I do not see why SRP
> is not vulnerable to dictionary attacks.
> If I have a working client software then I can use it to reveal
> passwords. Isn't it a dictionary attack?

Dictionary attack in this context means an eavesdropper records a
session, then compares all the hashed passwords against a word list
offline.  If the attacker is allowed to make unlimited online queries,
then he can guess at SRP passwords too.  But the host should notice
that and prevent it.