A password authentication scheme with secure password updating
Just getting to know other person’s password allows you to become that person in the eyes of others, do whatever you please in their name, obtain their privileges in automated systems.
That’s why passwords are so critical to protect properly.
So far, most current systems and secure protocols have used only three types of cryptographic primitives: encryption, key agreement and digital signatures.
More high level tasks, like authentication, are achieved by combining those primitives in some way in a protocol.
The history continues: the more sophisticated schemes for protecting the transmission of passwords are proposed, the better and smarter attacks are designed to defeat them.
Wouldn’t it be great to avoid transmitting the passwords at all?
Exercising a secret involves at least 2 parties: a prover (you) and a verifier (an entity which eventually decides whether your secret is the real correct one and you deserve the privileges you claim).
However, if you cannot communicate with verifier directly, you have to use one or more intermediate entities, in which case those entities know the secret as well.
Since Ancient Roman times until now, they are used for one to prove being worthy to get some privilege others do not possess, however strongly desire to obtain.
It seemed that attackers couldn’t get the password, because reversing a hash function is computationally “almost impossible”. even if someone used complex password, attackers just used the hash directly to authenticate with the server with a “modified browser”.