[clug] A Question About Password Handling and Authentication Mechanisms
Tony Lewis
tony at lewistribe.com
Wed Nov 26 03:26:22 MST 2014
On 26/11/14 20:25, jm wrote:
> Just below the Wikipedia reference you provide is the Examples section
> (
> http://en.wikipedia.org/wiki/Challenge%E2%80%93response_authentication#Examples
> ). Some of the protocols there look to written to address similar
> concerns. I don't have time to read these today though. If these
> protocols do avoid storing usable password information on the server
> or disclosing it on the channel, then one must ask why these protocol
> aren't getting wide use?
Honestly I think it's because it's nuanced and easy to disregard until a
disaster happens. Put another way, humans are lousy risk assessors.
There may be massive breaches happening monthly, but still we
subconsciously think it can't happen to us.
Like backups; it's still quite hard to get it right.
> To take one example (rfc5802), SCRAM provides the following protocol
> features:
And there's HMAC. And I stumbled on Password-Authenticcated Key (PAK)
Diffie-Hellman Exchange (RFC5683), from Google, which looks interesting.
Tony
More information about the linux
mailing list