[clug] A Question About Password Handling and Authentication Mechanisms

Tony Lewis tony at lewistribe.com
Wed Nov 26 03:26:22 MST 2014

On 26/11/14 20:25, jm wrote:
> Just below the Wikipedia reference you provide is the Examples section 
> ( 
> http://en.wikipedia.org/wiki/Challenge%E2%80%93response_authentication#Examples 
> ). Some of the protocols there look to written to address similar 
> concerns. I don't have time to read these today though. If these 
> protocols do avoid storing usable password information on the server 
> or disclosing it on the channel, then one must ask why these protocol 
> aren't getting wide use?

Honestly I think it's because it's nuanced and easy to disregard until a 
disaster happens.  Put another way, humans are lousy risk assessors.  
There may be massive breaches happening monthly, but still we 
subconsciously think it can't happen to us.

Like backups; it's still quite hard to get it right.

> To take one example (rfc5802), SCRAM provides the following protocol 
> features:

And there's HMAC.  And I stumbled on Password-Authenticcated Key (PAK) 
Diffie-Hellman Exchange (RFC5683), from Google, which looks interesting.


More information about the linux mailing list