This is not really related to #566, so I'm opening a separate ticket for it.
The default iteration count of 4096 for SCRAM-SHA-1 is too low to be considered secure. However, suggestions to raise that have always been met with "it would take forever on mobile devices!".
One way to not make it impact mobile devices very much would be to allow clients to store only the clientKey and avoid all of the time consuming hashing. That means that the server must always use the same salt and iteration count. With internal_hashed, Prosody stores those, but with internal_plain it doesn't. There's no reason why it couldn't store them for internal_plain too.