Guus's assessment: "it tries to generate a salt for a user by resetting the password - which unexpectedly does not create a salt, causing it to fall in a recursive loop". Am seeing this on ignite's Openfire:
Uffties, took me a while to figure out a reproducer.
Set openfire property `sasl.mechs = SCRAM-SHA-1`
Update an example user's ofUser table entry to look like so
attempt to login with Pidgin, boom
Tested patch and can not reproduce.