I don't understand why servers don't just store passwords as a public/private key schema. A private key is algorithmically generated from a password with the public key stored on the server. When logging in the server sends a one-use-only 'challenge' as an encrypted blob to the person logging in. Locally they use the algorithmic private key generated from their password to decrypt the blob and send the response back. And you're logged in.
Seems like a pretty simple system and absolutely nothing that has to be secured is stored server side. Is there some clever reason I'm missing that this system fails?
----
Even better you can also salt the password->key schema based on something like the username, making table based attacks infeasible.
Seems like a pretty simple system and absolutely nothing that has to be secured is stored server side. Is there some clever reason I'm missing that this system fails?
----
Even better you can also salt the password->key schema based on something like the username, making table based attacks infeasible.