Update 2020-02-14: As pointed out by a reader (thank you!), attestations do not protect against man-in-the-middle attacks where an attacker owns a genuine authenticator of
Tag: Passwords
FIDO2: Solving the Password Problem
Introduction Passwords are a problem and you’d be hard-pressed to find a security professional who disagrees. According to Verizon’s 2019 Data Breach Investigation Report, 62%
Closing the Password Hashing Competition, releasing Argon2
In fall 2012, I proposed to organize an open competition in order to develop a new crypto standard for hashing passwords—be it to protect users’
Secure password hashing: requirements and design choices
This is the promised follow-up to my first post on secure password hashing. We now focus on the security requirements and design choices, which will
Secure password hashing: why we need it
Nobody likes passwords. Especially when you receive your password in clear text after hitting “forgot my password”—evidence that the server stores the password either in
