Hacker News new | past | comments | ask | show | jobs | submit login

The problem with passwords on the web is that they require sending and trusting private credentials to someone else. As devs we need to working on making better systems (e.g. TLS client certs and SRP (e.g. TLS-SRP or PAKE)) more usable.

It's not a magic bullet and not something a switch can be flipped on, but the status quo is terrible.




SRP doesn't solve the problem you think it does. SRP (and PAKEs in general) still requires the server to store a verifier. Those verifiers can be cracked just like password hashes; in fact, they're often easier to crack.


Source? The purpose of the verifier is to be difficult to reverse or collide.


Source: it's obvious? John The Ripper implements the attack? You can trivially implement the attack yourself? This is literally a Cryptopals exercise?


Wonderful source. Thanks.


Like U2F?


U2F is definitely nice, but it's impracticle to expect everyone to have a hardware key. There are software only wins that can be much better than the current status quo.

Sure, you can gave software U2F keys, but that's not commor or expected from what I understand.


There is no reason software based U2F tokens can't exist. We actually released one just this week: https://github.com/github/softu2f. It went through a certification process and was certified as a valid FIDO U2F implementation. I'd love to see more and more non-dongle based solutions going forward.


Complete aside, I initially got extremely angry at you before even reading your post. Pat Toomey, Senate Class 3, is unfortunately one of my Senators.

I'm pretty sure he's doesn't work at Github, though :)


You aren't the first: https://twitter.com/search?f=tweets&q=patricktoomey%20sentoo... :-)


That seems to be the only one out there, hence my conception that it's mainly a hardware-key. I would also be interested in seeing more cross-platform software U2F implementations!


For sure, software based tokens are not the norm (yet). Part of our hope with releasing a software based token is to push the security vs. user experience conversation forward. Sure, hardware tokens are great. But, they don't have the best UX and have a pretty steep barrier to entry. Hopefully Soft U2F helps to spawn a more varied set of solutions. Over time, browsers and password managers could integrate these kinds of features. For example, https://crbug.com/678128 is a tracking issue for implementing U2F in Chrome itself, which would be great.


Or OAuth.


Not the current OAuth. It is different for each provider. The standard isn't strict enough. I have to write something special each implementation I want to use. The standard needs to be modified so every implementation works exactly the same way - then I'd say OAuth would be a good potential solution.


The provider of an oauth endpoint normally still requires you to send your private credentials.

It also ties a lot of identities together making it not Angkor solution for many people.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: