The Fundamental Password Authentication Problem
Examine why traditional password authentication creates server-side attack surfaces and what protocols solve this.
The Traditional Password Model
In traditional password authentication, the client sends the password (or a hash of it) to the server, which compares it against a stored value. This model is simple but concentrates enormous risk on the server: a database compromise exposes all user credentials simultaneously.
Server Compromise and Hash Cracking
When an attacker breaches a server and steals the password database, they can conduct an offline dictionary attack at full GPU speed with no rate limiting. Modern GPUs can test billions of password guesses per second against bcrypt or SHA-256 hashes, making weak or common passwords trivially recoverable.
All lessons in this course
- The Fundamental Password Authentication Problem
- SRP: Secure Remote Password Protocol
- PAKE Protocols and Their Properties
- Passwordless Auth: WebAuthn and FIDO2