undefined | Better HN

0 pointstialaramex3y ago0 comments

No. In order for password authentication to be something a five year old can do by pasting PHP code they found in a Stack Overflow search, that is how it works.

But algorithmically even if you want passwords (you don't in most cases, get WebAuthn for example for web site authentication) you can use an asymmetric PAKE such as OPAQUE:

https://tools.ietf.org/id/draft-krawczyk-cfrg-opaque-03.html

This is quite a bit more complicated than the one line PHP password stuff you pasted from Stack Overflow, but the user's password never leaves their machine, and so the Relying Party doesn't know the password, and yet they can verify that the user does know the password which they originally chose for the site.

0 comments

tialaramexOP3y ago

When people downvote something I wrote because it's sharing an opinion they don't like it, I kinda get it, that's not really what HN downvotes are for, but sure.

However in cases like this what I wrote was just a fact about a world which they weren't aware of, I'm not sure what they hope to achieve by downvoting.

ivanbakel wrote "In order for password security to work, you have to send Steam your actual password" and that's not true. It's not going to become more true if you can just delete my comment explaining why it's not true, that's not how our universe works.

detaro3y ago

It seems pretty obvious that you were downvoted primarily for the entire entirely unnecessary "5 year olds copy-pasting from stack overflow" bit. "Actually, this isn't true anymore, a few years ago [afaik OPAQUE is from only 2018?) they found a protocol that solves this:" would've been a much more productive start to that comment.

tialaramexOP3y ago

While OPAQUE is modern, this whole idea isn't. SRP is a 1997 Stanford project with their results first published in 1998.

But you're probably not wrong about people not liking how I phrased my reply.

1 more reply

ivanbakel3y ago

To quote the guidelines:

>Be kind. Don't be snarky. Have curious conversation; don't cross-examine. Please don't fulminate. Please don't sneer, including at the rest of the community.

j / k navigate · click thread line to collapse

0 pointstialaramex3y ago0 comments

No. In order for password authentication to be something a five year old can do by pasting PHP code they found in a Stack Overflow search, that is how it works.

But algorithmically even if you want passwords (you don't in most cases, get WebAuthn for example for web site authentication) you can use an asymmetric PAKE such as OPAQUE:

https://tools.ietf.org/id/draft-krawczyk-cfrg-opaque-03.html

0 comments

tialaramexOP3y ago

When people downvote something I wrote because it's sharing an opinion they don't like it, I kinda get it, that's not really what HN downvotes are for, but sure.

However in cases like this what I wrote was just a fact about a world which they weren't aware of, I'm not sure what they hope to achieve by downvoting.

detaro3y ago

tialaramexOP3y ago

While OPAQUE is modern, this whole idea isn't. SRP is a 1997 Stanford project with their results first published in 1998.

But you're probably not wrong about people not liking how I phrased my reply.

1 more reply

ivanbakel3y ago

To quote the guidelines:

>Be kind. Don't be snarky. Have curious conversation; don't cross-examine. Please don't fulminate. Please don't sneer, including at the rest of the community.

j / k navigate · click thread line to collapse