undefined | Better HN

0 pointschairmanwow15y ago0 comments

I think I really disagree with you there. This is the same concept but applied client-side instead of server-side.

But “client-side peppering” won’t get you to the front page of HN..

0 comments

I would click “client-side peppering” over horxsomething, didn't read Harry Potter

Horcruxes are similar to what emmanueloga_ has mentioned. Horcruxes were special things in which Harry Potter's lead antagonist, Voldemort stored parts of his 'soul', so that even if he died, someone cpuld revive him using the horcruxes. I haven't kept up with Harry Potter for a year now, so I might be wrong with respect to the exact definition.

cduzz5y ago

A horcrux is a plot device where the protagonists need 2fa to send a HUP or TERM to the misbehaving process.

1 more reply

tgb5y ago

I think these concepts are significantly different - as different as salts and peppers at least. Peppering helps protect against database access revealing password. Horcrux protects against password manager access. Peppering is stored on the server, but outside the database. Horcruxes are stored in the user's head. You could do both, one, or neither. Client-side peppering would be having part of your password outside of the password manager but still on your computer. If anything it's brain-side peppering.

kbenson5y ago

> Peppering helps protect against database access revealing password. Horcrux protects against password manager access.

What is a password manager but a database of your passwords? Peppering is a token that is not in the database of passwords that needs to be applied for the password to be correct. Whether it's applied by an application, or a person doesn't seem relevant, as what is an application but a set of instructions a person could do carried out automatically?

I don't care what it's called, but I don't really see a difference in the scenarios you've outlined.

e12e5y ago

> Peppering is a token that is not in the database of passwords that needs to be applied for the password to be correct.

Well, typically a server only cares about verifying the user (still) knows a password.

A typical server (today) does not have a way to reconstruct the plain password, only a way to check if any given string matches.

A password manager, typically does have a way to supply the password.

Peppers and salts are typically manipulated by the server system, plain passwords are typically managed by the password manager.

In this case the password manager never sees the hocrux, and cannot leak it. A server will typically leak a pepper to anyone with access to ram (or access to a hw enclave, which is expected to be more difficult).

tgb5y ago

Frankly this has more in common with a 2FA approach with one factor being the password manager and the other your horcrux. I wouldn't call my phone authenticator app a client-side pepper.

kkirsche5y ago

Agreed. A common reason for shared terminology in computing is to encourage re-use of techniques, this is a great example of that

j / k navigate · click thread line to collapse

0 comments

molszanski5y ago

I would click “client-side peppering” over horxsomething, didn't read Harry Potter

phantom_rehan5y ago

cduzz5y ago

A horcrux is a plot device where the protagonists need 2fa to send a HUP or TERM to the misbehaving process.

1 more reply

tgb5y ago

kbenson5y ago

> Peppering helps protect against database access revealing password. Horcrux protects against password manager access.

I don't care what it's called, but I don't really see a difference in the scenarios you've outlined.

e12e5y ago

> Peppering is a token that is not in the database of passwords that needs to be applied for the password to be correct.

Well, typically a server only cares about verifying the user (still) knows a password.

A typical server (today) does not have a way to reconstruct the plain password, only a way to check if any given string matches.

A password manager, typically does have a way to supply the password.

Peppers and salts are typically manipulated by the server system, plain passwords are typically managed by the password manager.

tgb5y ago

Frankly this has more in common with a 2FA approach with one factor being the password manager and the other your horcrux. I wouldn't call my phone authenticator app a client-side pepper.

kkirsche5y ago

Agreed. A common reason for shared terminology in computing is to encourage re-use of techniques, this is a great example of that

j / k navigate · click thread line to collapse