[bigmac]

This isn't only about HSMs or dedicated services. To anyone reading this thread: the key thing to understand here is: How do crypto-anchors help against attacks that allows `select *` from a database? A: Per-record encryption mediated by a dedicated microservice.

[tptacek]

But there's really nothing "cryptographic" about an isolated authentication service. To drive the point home, and don't do this, but if you (1) used dedicated hardware to run it, (2) IP filtered the box down to just HTTPS, and (3) ran the service using Go, Rust, or Java Servlets, you probably wouldn't even need to use a good password hash.

I'm only talking about the AuthN problem, by the way. I'm not making a general argument against circuit breaker architectures.

[bigmac]

Folks need to worry about being able to protect more than just passwords. Engineers should be doing a good job of protecting SSNs, phone numbers, home addresses, etc. Crypto-anchoring can help for the general case of protecting sensitive information, not just passwords. `select *` shouldn't give anything in your infrastructure bulk access to sensitive information. The 'cryptographic' thing here is per-record encryption.

[tptacek]

I think tokenizing services are a very good idea in general. I just think there are easier and more effective ways to handle the AuthN problem.