|
|
|
|
|
|
by tialaramex
1998 days ago
|
|
|
Password based authentication is very bad news. We've known that for decades. It became the first resort anyway†. The RFC this author is complaining about (which is a decade old at this point) is just yet another way to use passwords. Stop it. If you actually wanted to build one of these today you would not build one of those toy digest systems, you'd use a PAKE such as OPAQUE https://tools.ietf.org/html/draft-irtf-cfrg-opaque-01 But arguably instead of dedicating effort to trying to "fix" password authentication it's better to just do much less of it. On the web that means much more WebAuthn. † This mistaken inversion happens a lot. When working on the British railways there is supposed to be an assessment of the safest practical method of performing the work. What used to be known as "red zone" working, where there are still trains using the railway while you work on it, is inherently dangerous and to be avoided. Red zone should be a last resort. But in practice what you will routinely find after a red zone accident is that they picked red zone not out of necessity but simply their planners had fallen into a habit of always justifying this unsafe practice rather than choose methods that might delay things, inconvenience workers or require purchasing equipment. It had become their first resort instead. |
|
|
Do you know if/when it is considered for implementing in the major browsers? Given that even SHA256 digest implementation is missing and that OPAQUE seems much harder to implement, I wouldn't be surprised if it takes another decade.
Regarding not using passwords at all, unfortunately this is not something I can use as a web user with 100s of logins.