undefined | Better HN

0 pointsrev_bird10y ago0 comments

I'm admittedly not familiar with the details of the hashing process, but it could be done client-side, no? Then the compute power required falls on the user, PLUS the 20 megs never gets sent over the wire.

0 comments

mkagenius10y ago

No. Actually we would not want the hashing technique to be exposed in the source code.

ColinWright10y ago

That turns out not to be the whole story.

Hiding the technique to compute the hash is relying on security by obscurity. Ideally you want a system that is secure even if potential attackers know what methods you're using.

GlennS10y ago

If you do the hashing on the client side, then the hash itself effectively becomes the password.

roblabla10y ago

That would assume your users have JS enabled. I've seen something like that done before, but always with a fallback in case user has JS disabled.

Retra10y ago

If you're not sending 20 megs of data, you're not getting 20 megs of security. So why allow it if it doesn't add anything?

ColinWright10y ago

It doesn't add to the security, but I might find it easier to remember 20 MB of redundant and meaningful stuff than to remember 384 bits of literally random stuff. The entropy might be the same, but my memory is not a computer. I can remember vast amounts of material that is meaningful and use it as a password. I can't remember 384 bits that have no meaning.

The benefit isn't in the entropy, it's in the abilities of your users to remember their passwords/passphrases in the first place.

0942v865310y ago

Maybe 1 or 2 KB, max. 20 million characters is a ridiculous password to remember.

1 more reply

j / k navigate · click thread line to collapse

0 comments

mkagenius10y ago

No. Actually we would not want the hashing technique to be exposed in the source code.

ColinWright10y ago

That turns out not to be the whole story.

Hiding the technique to compute the hash is relying on security by obscurity. Ideally you want a system that is secure even if potential attackers know what methods you're using.

GlennS10y ago

If you do the hashing on the client side, then the hash itself effectively becomes the password.

roblabla10y ago

That would assume your users have JS enabled. I've seen something like that done before, but always with a fallback in case user has JS disabled.

Retra10y ago

If you're not sending 20 megs of data, you're not getting 20 megs of security. So why allow it if it doesn't add anything?

ColinWright10y ago

The benefit isn't in the entropy, it's in the abilities of your users to remember their passwords/passphrases in the first place.

0942v865310y ago

Maybe 1 or 2 KB, max. 20 million characters is a ridiculous password to remember.

1 more reply

j / k navigate · click thread line to collapse