Ask HN: What's a better alternative to Passwords?

2 pointsWhyDoPeople7y ago2 comments

We had a huge issue come up at our company. We will have to ask all our users to change their passwords.

Dealing with this, I'm lead to the conclusion that servers should not contain login information the way we currently are. I think something like a public/private key pairing may be better. But I'm just swinging in the dark here.

What are some better solutions for Account Authentication?

2 comments

2 comments · 2 top-level

stupidgeek3147y ago

https://developer.mozilla.org/en-US/docs/Web/API/Web_Authent...

https://www.grc.com/sqrl/sqrl.htm

bigiain7y ago

If losing all the user table with it's "password" column is requiring you to "ask all our users to change their passwords", you're probably doing it wrong - and switching to some less well tested auth mechanism without the expertise to get that right either is probably just trading vulnerabilities...

(If you're just requiring password changes out of an abundance of caution even though you're properly using bcrypt/scrypt/pbkdf2 - then my comment above is less relevant.)

j / k navigate · click thread line to collapse