Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If we're up for changing the standard, why not go with something that's significantly better than pass the hash, like some form of public-key crypto?

Having <input type='challenge' algo='xxx' challenge='reallylongrandomchallengetoken'> would work better than yours, I think?

There's also nothing stopping the user using a "password", where that password is fed through a KDF and then used to generate the relevant private key (all done client side) -- but this is only as strong as the password used, so a really savvy user would just generate the private-key really well, and store that in a similar way to the way SSH keys are stored (i.e. passphrase). Non-savvy users can generate it a-fresh every time.

But aren't we just re-implementing client-side SSL certifications?



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: