...that's a Cloudflare security page. Is this a default setting for one of Cloudflare's security options, or did Algolia specifically add this to some edge detection worker or something? I'm curious which party is being ridiculous.
So much for CloudFlare's stance on free speech, I'm being censored for comedy!
(The title is a wordplay on What We Do in the Shadows.)
Joke aside, I can understand why, generally, protecting from /etc/shadow disclosures is a good default, but it should be possible to disable this particular protection. If anyone knows how, that'd be good to share.
Ohhh Cloudflare. I have to wonder how many sites are left that are actually vulnerable to having their shadow file dumped. Even for the sites that have filesystem traversal vulns, how many of those would cough up something publicly accessible from the shadow file?
I notice the article stopped citing examples of large-scale password cracking after the introduction of PBKDF2.
Technical tours through the winding passages of password management in services is fun and all, but I wonder if this is ultimately contributing more to bad habits than good ones.
Readers capable of implementing something like OPAQUE will already have a pretty good handle on most of what's written here. All other developers will just grab whatever "the" off-the-shelf solution is for their language and tech stack, and any recommendations for those are conspicuously absent here. What are the best resources for the most popular tech stacks currently? PHP introduced the password_hash() function (and related functions) in its standard library a while back. It defaults to bcrypt, and most php devs should probably just use those functions, unless they're sure they know better.
There's another end of all this that I also never see addressed in writeups like this one: lots of users are still really bad at passwords. I still have a few friends that obsessively write passwords down on index cards and rotate the same weak passwords through all the services they use. I have installed password managers for them; I have walked through using password managers multiple times; I have explained the risks half a dozen times, with a different strategy each time. As the blogger says, "passwords suck". Ultimately people like this keep reusing crappy passwords everywhere because services don't prevent it, and in that case, it mostly doesn't matter which fancypants algorithm you go with for handling authentication.
For a while, some misguided sites tried to prevent people from pasting passwords into their login forms. I have never seen the inverse: a site that prevents users from typing a password. Is there a reason that wouldn't work? Because if it would, it would only take a few big services doing that to finally force the last holdouts to adopt password managers. And that, I think, would contribute a lot more to overall password security than trying to decide whether to use bcrypt, scrypt, pbkdf2, argon, or hokeypokey5.
> There's another end of all this that I also never see addressed in writeups like this one: lots of users are still really bad at passwords.
Author here.
I was originally planning to write a blog post about my experience reporting cryptography-related bugs to password managers in 2022. (I had findings for LastPass, 1Password, and Keeper.)
However, I found in my early draft that I spent a lot of time explaining these algorithms, so I decided to spin it off into a separate article. Thus, this post was conceived!
> I notice the article stopped citing examples of large-scale password cracking after the introduction of PBKDF2.
At that point, I figured the point had been made already, and wanted to focus on the algorithms.
> Readers capable of implementing something like OPAQUE will already have a pretty good handle on most of what's written here. All other developers will just grab whatever "the" off-the-shelf solution is for their language and tech stack, and any recommendations for those are conspicuously absent here. What are the best resources for the most popular tech stacks currently? PHP introduced the password_hash() function (and related functions) in its standard library a while back. It defaults to bcrypt, and most php devs should probably just use those functions, unless they're sure they know better.
I tried to make the post a good balance of fun and informative, but the audience was "people who want to know more about cryptography with passwords" not specifically developers.
As you indicated, if you're developing something, the password_hash() / password_verify() API your language provides is likely 1000x safer than rolling your own anything. If there is to be improvements in the cryptography for a given programming language, it should be an update to whatever the de facto standard library is for that language.
PHP has the password extension built-in. Python has passlib. Node has the crypto module. Etc.
> For a while, some misguided sites tried to prevent people from pasting passwords into their login forms. I have never seen the inverse: a site that prevents users from typing a password. Is there a reason that wouldn't work?
I'm not confident in this, since it's 4:46 AM for me and I should probably be sleeping instead of reading HN comments, but isn't this exactly how Passkey is supposed to work? I could be confusing it with another thing though.
Anyway, thanks for your insightful feedback. I already planned a teardown into the reverse-engineered internals of popular password managers and my experiences with them. Because of your comment, I might also make a future blog post targeting developers.
In the meantime, here's some cool stuff:
https://github.com/dropbox/zxcvbn - A reasonable approach to password strength estimation (although I think their calculation needs updating in 2023)
The bit about selling to the government isn't quite right. Check out NIST SP 800-63B §5.1.1.2. They're very keen on memory-hard functions, as long as the underlying primitives are approved. For some reason they single out Balloon, which I wouldn't recommend since there's only a prototype implementation, but scrypt and yescrypt are usable.
Great article! Thanks for adding the mention to Dashlane, I appreciate it.
As a side note, since you are mentioning it, we use zxcvbn to check password strength and I hope we are going to add k-anonymity style checking for leaked passwords very soon :)
"Stop enjoying things I don't like, that's bad. I'm going to go out of my way to create alt accounts to 'hide from being harassed' while doing the harassing!"
Nobody cares what you think. Everyone knows your beliefs are impotent by the need to generate a throwaway.
Hi, I perform research in the area of PAKEs. I'm not a "foremost expert" but I know a bit. Before I start, I don't believe that it's standard to use the term "doubly augmented PAKEs". Instead, I'll use the more accepted shorthand "saPAKE" for "strong asymmetric PAKE".
I think it's important to note that the provided saPAKE Double BS-SPEKE does not come with a security proof. A proof of a similar protocol is not hard if you believe in the compiler provided in the JKX18 paper[1] and you believe that B-SPEKE is a UC-secure aPAKE but it's important to note that the JKX compiler is not proven secure against the updated functionality from their revisions. Further, I don't believe that B-SPEKE has a security proof in any model let alone the UC model.
But I can say for certain that the currently described protocol is not a secure saPAKE as it doesn't prevent an adversary from impersonating a client after stealing the server's password file.
The adversary learns (B, salt, P, C, s, b, regMAC) and needs to produce (a * P, H(idC, idS, A, B, a * B, c * B, s * A))
a is uniformly sampled, so the adversary knows a * P, A, B, a * B, and s * A.
We're missing c * B, but this is just b * C which we know. So the adversary can produce all messages required and arrive at the server's key.
This may not be a security guarantee that you need for your use case, but I cannot recommend Double BS-SPEKE as an saPAKE (or even an aPAKE) until we see a formalized analysis of its guarantees.
I'm still not sure what "doubly augmented" means, but the talk seems to conflate the security properties of OPAQUE and double BS-SPEKE as well as listing doubly augmented as a subset of augmented PAKEs.
The "augmented" label confused me a lot too. I saw Steve Thomas's presentation in person at DEF CON and could not find material online using that phrase outside of his materials.
Augmented is a common label for these kind of PAKEs. Generally speaking, asymmetric, verifier-based, and augmented are all three interchangeable.
Sc00bz made a comment[1] on reddit describing what "doubly augmented" means where they succinctly describe it as
"A doubly augmented PAKE is where both sides can store data to authenticate with eachother but not themselves."
This mirrors the definition of aPAKE and makes sense, but this sounds more like the security property provided by CRISP[2]. This doesn't make sense in the context of double BS-SPEKE as the client inputs their password in the clear which can be used to generate the server's storage without any "guessing".
I mixed up "b" stored by the server in the registration phase and the "b" used in the online phase. In that case, the adversary can't compute either b * C or c * B (by probably just CDH).
This being said, there's a more technical problem with the protocol as-is with how the OPRF is used. Currently, the adversary can malleate the OPRF messages resulting in a valid/invalid session between two honest parties without the simulator being able to distinguish between the two cases. This comes from the perfect blinding property of 2hDH and is discussed in the OPAQUE paper[1].
There may be other problems, but _most_ of the protocol passes a quick smell test.
Sorry for any confusion!
-- EDIT --
I'm not really surprised that this problem came out as the JKX compiler is quite nuanced (more so than the paper immediately lets on). So I definitely suggest walking through the proof before applying this protocol anywhere; however, the current protocol seems like a good jumping off point. I think there also needs to be a clear reason to use a SPEKE derivative as the aPAKE building block.
33 comments
[ 3.5 ms ] story [ 82.2 ms ] threadeg try this
https://hn.algolia.com/?query=What%20We%20Do%20in%20the%20%2...
(The title is a wordplay on What We Do in the Shadows.)
Joke aside, I can understand why, generally, protecting from /etc/shadow disclosures is a good default, but it should be possible to disable this particular protection. If anyone knows how, that'd be good to share.
EDIT: A bypass has been discovered https://infosec.exchange/@jsmall/109647469548014823
Technical tours through the winding passages of password management in services is fun and all, but I wonder if this is ultimately contributing more to bad habits than good ones.
Readers capable of implementing something like OPAQUE will already have a pretty good handle on most of what's written here. All other developers will just grab whatever "the" off-the-shelf solution is for their language and tech stack, and any recommendations for those are conspicuously absent here. What are the best resources for the most popular tech stacks currently? PHP introduced the password_hash() function (and related functions) in its standard library a while back. It defaults to bcrypt, and most php devs should probably just use those functions, unless they're sure they know better.
There's another end of all this that I also never see addressed in writeups like this one: lots of users are still really bad at passwords. I still have a few friends that obsessively write passwords down on index cards and rotate the same weak passwords through all the services they use. I have installed password managers for them; I have walked through using password managers multiple times; I have explained the risks half a dozen times, with a different strategy each time. As the blogger says, "passwords suck". Ultimately people like this keep reusing crappy passwords everywhere because services don't prevent it, and in that case, it mostly doesn't matter which fancypants algorithm you go with for handling authentication.
For a while, some misguided sites tried to prevent people from pasting passwords into their login forms. I have never seen the inverse: a site that prevents users from typing a password. Is there a reason that wouldn't work? Because if it would, it would only take a few big services doing that to finally force the last holdouts to adopt password managers. And that, I think, would contribute a lot more to overall password security than trying to decide whether to use bcrypt, scrypt, pbkdf2, argon, or hokeypokey5.
Author here.
I was originally planning to write a blog post about my experience reporting cryptography-related bugs to password managers in 2022. (I had findings for LastPass, 1Password, and Keeper.)
My experience with LastPass was abysmal. I wrote a thread about it here: https://furry.engineer/@soatok/109560736140669727
However, I found in my early draft that I spent a lot of time explaining these algorithms, so I decided to spin it off into a separate article. Thus, this post was conceived!
> I notice the article stopped citing examples of large-scale password cracking after the introduction of PBKDF2.
At that point, I figured the point had been made already, and wanted to focus on the algorithms.
> Readers capable of implementing something like OPAQUE will already have a pretty good handle on most of what's written here. All other developers will just grab whatever "the" off-the-shelf solution is for their language and tech stack, and any recommendations for those are conspicuously absent here. What are the best resources for the most popular tech stacks currently? PHP introduced the password_hash() function (and related functions) in its standard library a while back. It defaults to bcrypt, and most php devs should probably just use those functions, unless they're sure they know better.
I tried to make the post a good balance of fun and informative, but the audience was "people who want to know more about cryptography with passwords" not specifically developers.
As you indicated, if you're developing something, the password_hash() / password_verify() API your language provides is likely 1000x safer than rolling your own anything. If there is to be improvements in the cryptography for a given programming language, it should be an update to whatever the de facto standard library is for that language.
PHP has the password extension built-in. Python has passlib. Node has the crypto module. Etc.
> For a while, some misguided sites tried to prevent people from pasting passwords into their login forms. I have never seen the inverse: a site that prevents users from typing a password. Is there a reason that wouldn't work?
I'm not confident in this, since it's 4:46 AM for me and I should probably be sleeping instead of reading HN comments, but isn't this exactly how Passkey is supposed to work? I could be confusing it with another thing though.
Anyway, thanks for your insightful feedback. I already planned a teardown into the reverse-engineered internals of popular password managers and my experiences with them. Because of your comment, I might also make a future blog post targeting developers.
In the meantime, here's some cool stuff:
https://github.com/dropbox/zxcvbn - A reasonable approach to password strength estimation (although I think their calculation needs updating in 2023)
https://github.com/DivineOmega/password_exposed - Checks if a given password has been exposed in a previous breach (uses the HIBP hash database)
(I've updated the post to encapsulate your correction.)
As a side note, since you are mentioning it, we use zxcvbn to check password strength and I hope we are going to add k-anonymity style checking for leaked passwords very soon :)
Nobody cares what you think. Everyone knows your beliefs are impotent by the need to generate a throwaway.
Any pointers to relevant literature will also help.
https://libsodium.gitbook.io/doc/password_hashing
It uses the Argon2 algorithm (RFC9106).
I have studied Argon2 and in my opinion it really is an improvement over the older methods.
And is there a way to derive a public key using a derived private key, say, for example, by using ECC?
Or for signatures, crypto_sign_seed_keypair(). Use the output of Argon2 as the seed.
I think it's important to note that the provided saPAKE Double BS-SPEKE does not come with a security proof. A proof of a similar protocol is not hard if you believe in the compiler provided in the JKX18 paper[1] and you believe that B-SPEKE is a UC-secure aPAKE but it's important to note that the JKX compiler is not proven secure against the updated functionality from their revisions. Further, I don't believe that B-SPEKE has a security proof in any model let alone the UC model.
But I can say for certain that the currently described protocol is not a secure saPAKE as it doesn't prevent an adversary from impersonating a client after stealing the server's password file.
The adversary learns (B, salt, P, C, s, b, regMAC) and needs to produce (a * P, H(idC, idS, A, B, a * B, c * B, s * A))
a is uniformly sampled, so the adversary knows a * P, A, B, a * B, and s * A. We're missing c * B, but this is just b * C which we know. So the adversary can produce all messages required and arrive at the server's key.
This may not be a security guarantee that you need for your use case, but I cannot recommend Double BS-SPEKE as an saPAKE (or even an aPAKE) until we see a formalized analysis of its guarantees.
[1] OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks https://eprint.iacr.org/2018/163
--- EDIT ---
I just came across the original talk https://www.youtube.com/watch?v=gopo2FI9epw using the term "doubly augmented" and I'll update this post soon.
I'm still not sure what "doubly augmented" means, but the talk seems to conflate the security properties of OPAQUE and double BS-SPEKE as well as listing doubly augmented as a subset of augmented PAKEs.
Sc00bz made a comment[1] on reddit describing what "doubly augmented" means where they succinctly describe it as
"A doubly augmented PAKE is where both sides can store data to authenticate with eachother but not themselves."
This mirrors the definition of aPAKE and makes sense, but this sounds more like the security property provided by CRISP[2]. This doesn't make sense in the context of double BS-SPEKE as the client inputs their password in the clear which can be used to generate the server's storage without any "guessing".
[1] https://old.reddit.com/r/crypto/comments/zy8w3y/what_we_do_i...
[2] CHIP and CRISP: Protecting All Parties Against Compromise through Identity-Binding PAKEs https://eprint.iacr.org/2020/529
" Client without password has:
I mixed up "b" stored by the server in the registration phase and the "b" used in the online phase. In that case, the adversary can't compute either b * C or c * B (by probably just CDH).
This being said, there's a more technical problem with the protocol as-is with how the OPRF is used. Currently, the adversary can malleate the OPRF messages resulting in a valid/invalid session between two honest parties without the simulator being able to distinguish between the two cases. This comes from the perfect blinding property of 2hDH and is discussed in the OPAQUE paper[1].
There may be other problems, but _most_ of the protocol passes a quick smell test.
Sorry for any confusion!
-- EDIT --
I'm not really surprised that this problem came out as the JKX compiler is quite nuanced (more so than the paper immediately lets on). So I definitely suggest walking through the proof before applying this protocol anywhere; however, the current protocol seems like a good jumping off point. I think there also needs to be a clear reason to use a SPEKE derivative as the aPAKE building block.
soatok.blog##figure:has(> figcaption:has-text(/Art by/))
soatok.blog##figure:has(> figcaption:has-text(/Art: /))