There is a better way: use an oracle-like device whose secret key is unavailable... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		pfortuny on May 22, 2019 \| parent \| context \| favorite \| on: Notifying administrators about unhashed password s... There is a better way: use an oracle-like device whose secret key is unavailable. See (shameful plug) http://thesybil.net Yes, it is academic but it should be everywhere. I improved it to perform client-side hashing and encryption but have had not the time to update the docs.

progval on May 22, 2019 [–]

I can't connect, the domain does not resolve.

But sure, there are good solutions to this, like SCRAM. Unfortunately, there is not much point when the authentication code is controlled by the server (eg. JS served by a server)

pfortuny on May 22, 2019 | [–]

Sorry, I always forget the order: http://thesibyl.net

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact