Hacker News new | ask | show | jobs
by reitanqild 3669 days ago
> What if the salt was derived from a key the user had to supply and wasn't stored anywhere?

If I understood you that is the same as demanding the user to input two strings for password authentication, one for salt and one for password, in which case you might just as well require the user to use a longer password.
1 comments
EGreg 3669 days ago
Good point. Why do we have passwords anyway? Just to authenticate at unanticipated access points? We could always just do two-factor authentication for that. A code would be sent to Google Authenticator on your phone or something like that, encrypted with your public key, and you'd just decrypt it with your private key. The phone would be secured with your password or fingerprint, which is never sent anywhere. The code would allow you to auth with the new access point. If the cellphone was connected to the internet, it could send the key directly and the site would log you in. If not connected to the net, it could use bluetooth or optical or sound to communicate with the access point (eg web browser running on a computer) to send the code. Only in the worst case would you have to type anything in yourself.

Since most people walk around with their cellphones, you could even precompute a couple keys to unlock a site, for those times when there is no internet connection. Of course, your phone should be secured with a password and you should be able to revoke the keys if anything gets lost.

link
rietta 3669 days ago
Because usernames and passwords can be implemented without reliance on 3rd party infrastructure and they are culturally accepted and understood - however poorly - by everyone. We're still using 80 character lines in programming because of IBM punch card design from 1928. Similarly, I doubt the password will completely go away within our grandchildren's lifetimes. That said, our mobile devices are likely to play an increasing role in authentication for everyday activities.
link
tremon 3669 days ago
We use passwords both to authenticate (assert identity) and to authorize (declare intent). The problem with automated logins is that you cannot infer intent (i.e. you have no assurance that the user actually meant to log in to your service).
link
nowen 3669 days ago
Google authenticator is only one-factor, possession of the shared secret in the phone. That's why it requires 'two-steps'.
link
EGreg 3669 days ago
Well, the password on the phone is the other factor. No need to send the password anywhere.
link