These challenge response mechanisms still require a shared secret. This means th... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		rocqua on May 4, 2018 \| parent \| context \| favorite \| on: Twitter urges users to change passwords after comp... These challenge response mechanisms still require a shared secret. This means the server still needs to know either your password or a hashed version of it. TLS covers the problems a challenge-response method is supposed to solve. That is, TLS prevents replay attacks because the shared secret is sent under encryption. Really, the solution to exposing passwords to the endpoint is to do key-derivation client-side, with a server-provided salt.

MarkMc on May 4, 2018 | [–]

> Really, the solution to exposing passwords to the endpoint is to do key-derivation client-side, with a server-provided salt.

That sounds a lot like Secure Remote Password protocol: https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...

wyldfire on May 4, 2018 | [–]

> This means the server still needs to know either your password or a hashed version of it.

Yes, the latter, please.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact