Passwords sent over the wire are a well known source security problems on the net, and arguably the biggest one of them all. With webCrypto we can use public key cryptography to completely get rid of passwords sent over the wire -- and most especially their reuse -- for a large number of use cases.
I was motivated to revisit this problem after documenting the problem in RFC 7486 and prototyping code back in 2012 -- well before webCrypto and webAuthn. I had hoped that webAuthn would solve for use case but was disappointed to find out that it is bolted at the hip with hardware crypto dongles, where local credentials store were given short shrift.
I have documented and released my cleaned up prototype code to show how webCrypto can provide a simple solution for sites that do not require the additional security that crypto dongles provide. You can check out the running code at https://out.mtcc.com/hoba-bis and on github at https://github.com/shirikodama/hoba-bis
Top comments (0)