Changes

When the client first creates the account, it must combine the account email address, the stretched password(srpPW), and a randomly-generated srpSalt, to form compute the srpVerifier:. The server will use this verifier later, to check whether or not the client really knows the password. If the server is compromised and an attacker learns the srpVerifier for a given account, it cannot use this to directly log in, but it does allow them to perform an offline brute-force attack against the user's password. In this respect, it is similar to a traditional hashed password. We make these attacks somewhat more expensive by performing the client-side stretching described above, instead of using the raw user password in the SRP calculation.