

HTML meet type="pSecure" - Cyndre
http://adamdomoney.posterous.com/html-meet-typepsecure

======
tptacek
To summarize a prior discussion:

First, read: <http://codahale.com/how-to-safely-store-a-password/>

Next, note that rainbow tables don't enter into the Gawker break; Gawker used
DES crypt(3) passwords, which can't readily be "rainbow tabled".

Finally, note that if you're going to advocate for a browser authentication
change, there are cryptographically sound protocols that have been studied for
over a decade that fit the bill far better than half-measures that do nothing
but break "rainbow tables". A good one to start reading up on is SRP.

~~~
getsat
Thank you for consistently adding a voice of reason to all these reactionary
blog posts. I would go insane were I in your shoes.

~~~
tptacek
No TV and no beer makes Homer something something.

No TV and no beer makes Homer something something.

No TV and no beer makes Homer something something.

------
andrewjshults
If we take encrypt to mean hash (which is probably what the implementation
would most likely mean), this still has the same problem that server-side
hashing does. Hashing is fast, GPUs can burn through creating rainbow tables
at incredible speed (see [http://stacksmashing.net/2010/11/15/cracking-in-the-
cloud-am...](http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-
amazons-new-ec2-gpu-instances/) ). Now if it's talking about implementing
bcrypt (<http://codahale.com/how-to-safely-store-a-password/>) in the browser
that would be a real solution, but them the problem becomes adoption (at which
point, you basically need to implement it on the server anyways). Plus, users
would need to be signaled that this was a safe password box, vs. an unsafe one
(which could easily be spoofed by malicious sites).

------
rmc
_It would require nothing more then the browsers to implement it in the same
way_

Oh dear. That'll never happen (examples: CSS, Html5 video, Javascript), which
means this idea is dead in the water.

------
btn
Previous discussion (for the article this one is a response to):
<http://news.ycombinator.com/item?id=2000833>

------
DjDarkman
I think this should be server side....

