|
|
|
|
|
|
by whoisthisfor
2396 days ago
|
|
|
Everytime I dig into PAKEs, I find disappointment. If we all used a PAKE from the start of computers, maybe we'd be better off, but that's just because we would have been burned by them a dozen times. Right now the tech is very immature and asking a Dev to use these is essentially asking them to pick a cipher mode and padding for AES. There are no browser native SRP implementations and WebCrytpo doesn't support the primitives. The complexity these add isn't worth it for your vanilla website, IMO. |
|
|
This. Similarly, I looked into the web crypto API yesterday to see if I could use argon2 yet. Nope, and also not scrypt, so no memory-hard standards at all. Heck, it doesn't even do bcrypt. Not sure why I hoped for anything else, but the best thing it has to offer is PBKDF2.
Unless browsers start to support the things actually in use, I guess in-browser crypto is doomed and everything will remain server side or consist of homebrew javascript implementations.