Hacker News new | past | comments | ask | show | jobs | submit login

SRP is a great PAKE (password-authenticated key agreement), it can make certain types of attacks to steal a password (like MITM) nearly impossible.

There's also a newer PAKE that improves slightly on SRP, called SPAKE2: https://datatracker.ietf.org/doc/draft-irtf-cfrg-spake2/?inc...

A PAKE does mean bad guys don't get the password, but that's not necessarily much of a win if the password was only defending an endpoint which was much more valuable than the password anyway.

If the PAKE keeps bad guys who break into the Crab Positivity Forum from learning a password which I also used for my GMail that's great, maybe they post anti-Crab propaganda and get me banned, but I'll live. Whereas if my bank uses it and bad guys empty the account but thanks to a PAKE don't learn my password in the process I'm gonna think that is a very cold comfort.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact