Hacker News new | past | comments | ask | show | jobs | submit login

Zero-knowledge proofs are an extremely practical problem. If you could convince an algorithm that you know a password, without having to type it, you would be impervious to keyloggers or any loss of your password - you would never have to change your password, either.

Unfortunately, there are no practical zero-knowledge proofs anyone can use in their heads. For this reason we are left typing them at least into the local device we're using - or having to use a second factor. Passwords can't stay in our head. That's a shame, because there's no theoretical reason for this to be so. Theoretically, easy, practical zero-knowledge proofs we can implement in our heads could exist. But apparently they don't.




Imagine a website who wants to add password-less login. They can give the user a program or dongle which the user can type in their preferred password, and a code from the website. The dongle outputs a new nimber, which is then sent to the website. The website then asks to repeat this step as many times as they desire to ensure thst the user knew the password, all without sending it or revealing it to the website.


Dongles similar to this exist, but you've just moved the problem: the user now needs to type their password into that device. If there were a real zero-knowledge protocol, the user could prove to the device that they know the password, without having to type it: the device still wouldn't have it. Even if someone stole the device, copied it, or modified it to record the user's input, this would not compromise the user's security in the future. (At worst it could MITM a current session, while leaving the user's password secure and uncompromised.) That is not the case with the dongle you have described.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: