Hacker News new | past | comments | ask | show | jobs | submit login

I guess a bigger question is why don't we use challenge/response authentication for websites? This way, a program like keychain could answer challenges without ever exposing plain-text passwords.



Still, somehow keychain would have to know the passwords, and presumably they would have to be encrypted with the login password of the current user. So it would still be possible for the current user to extract their own passwords. I don't think it is possible to hide passwords on the client side.


Am I the only one who read your post and said "huh"? Don't mean to have a naive reply, but this is new to me.


The server sends a challenge to the client. The client computes response = f(challenge, password), and sends the response. Then the server compares the response with its own computation of f(challenge, password). Since f is some type of hash function, we can assume that the client knew the actual password, as it would have been too hard computationally to come up with the correct response without it.

In such a scheme, the keychain can do the computation and the password never leaves the keychain. We can even go as far as to have the keychain be separate hardware (eg USB dongle), so the password never even has to exist on the client's computer at all.


I believe you are describing the <keygen> HTML element.

https://developer.mozilla.org/en-US/docs/HTML/Element/keygen


Okay, so my phone? My, at work, workstation?

How about borrowing a friends computer? If you suggest that I'd bring a USB-dongle for that we live in different universes.


I was simply trying to clarify the challenge-response mechanism for the parent poster, not suggesting you use keychain dongles everywhere.

Regardless, the idea that the plaintext password doesn't have to leave the device (whether the device is a dongle, your phone, or the keychain application) is a valuable consequence of the challenge-response mechanism, and I wish support for it were more widespread.


The reason for why it isn't widespread is because you also have to spread it across all your devices. Which is neither secure nor usable enough for the mainstream today.

Unless that is solved it isn't a solution worth considering.


Not worth considering as a 'fits all' solution, yes, but it still is worth considering for specialized cases; in general, those cases where the added inconenience is worth the added security. For example, some banks use effectively this for logging in to your online account. And that can be made to work with any device with a display and a keyboard:

  - computer shows challenge#

  - user types challenge# on bank supplied device

  - bank supplied device shows response

  - user types response on computer


Blizzard uses a challenge-response system called SRP for Battle.net. That's fairly mainstream.

You have to enter your password into all your devices anyway, so why not use challenge and response?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: