[Cryptography] passwords, or not
John Denker
jsd at av8n.com
Tue Apr 6 01:28:46 EDT 2021
On 4/5/21 4:27 PM, Jerry Leichter wrote:
> We're still a long way from eliminating passwords and the problem of
> how to make them as effective as possible remains.
Can somebody please explain, how far away are we, really?
What's the hold-up?
The recent discussion about how best to send passwords over the
wire strikes me as the worst sort of turd-polishing. It reminds
me of the old Smith&Dale shtick:
Patient: Doctor, Doctor, it hurts when I do /this/.
Kronkheit: So don't do that.
To avoid sending passwords over the wire, use zero-knowledge
password proofs. Such things have been around since 1992.
https://en.wikipedia.org/wiki/Zero-knowledge_password_proof
An intelligent discussion of the issues is here:
https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/
Why not just incorporate this into browsers?
> If, indeed, it doesn't "reach the other end" - how is it useful as a
> passphrase?
The only passphrase I remember is the one that unlocks the wallet
where I keep my passwords. This passphrase definitely does not
reach the other end ... yet it serves a crucial purpose.
Everybody I know uses some sort of wallet.
Moving from "password wallet" to "zero-knowlege proof agent" is
a very small step. The complexity, from the user's point of view,
is the same. The UI (if done right) is essentially the same.
The number of browsers on the market is small.
The number of e-commerce platforms on the market is small.
What is the barrier to rolling out something decent, real soon?
More information about the cryptography
mailing list