Hacker News new | past | comments | ask | show | jobs | submit login

There's a simpler protocol SCRAM based on just a hash function and similarly doesn't send a cleartext password.



Right. SCRAM is only secure if you already have a secure channel - eg if you’ve already done a TLS handshake with certificate auth. A PAKE is secure on its own. However, IMO most people saying they need a PAKE could use SCRAM instead and actually have a chance of understanding what they have deployed.


Even if it's conceptually simpler, it still suffers from the same issues in my comment


If you mean login without javascript, that can't be helped. If you mean password slurped from DOM, you can't possibly make it worse.


Conceptually there's no reason this couldn't be implemented by the browser with a new password element and a protocol built on top of HTTPS.


FWIW there's an experimental RFC 7804, but I don't know if any browser implemented it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: