Hacker News new | past | comments | ask | show | jobs | submit login

SRP is a remote password protocol. WebAuthN is for public key-based credentials in web apps... so not really related?

SRP is a "perfect" remote password protocol: it reveals no information about your password, not even a salted secure hash of it, which could be brute forced or cracked. The only information that is gained by the server is whether the client has entered the correct password or not. It's somewhat surprising that this good of a password protocol even exists. There are others with similar properties, but it still surprises me.

The main reason I suspect that SRP didn't become widely used much earlier is that it was originally patented. The patent appears to have expired in 2015, so it seems like one can use the protocol for free now. The text on the Stanford SRP page [1] reads as though it was always designed to be open and freely usable, but that's not my recollection from reading about it years ago. I recall reading about the protocol (maybe 15-20 years ago), getting really excited and then getting to the part where it was patented and getting equally disappointed.

[1] http://srp.stanford.edu/whatisit.html






Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: