My comment is in two parts. First, the govt has no business auditing private companies about how to store credit cards or passwords. There should be no regulations in principle, and security is no exception. Better security has to come from private initiatives.

You say that big companies like don’t innovate enough about security? The internet of today would be still like Gopher of the 1990s, if it was not for its commercial use. And what about the iPhone, and the iPad, which just not long ago were Star Trek tablets science-fiction? And what about Face ID and Touch ID?

Second, about OPAQUE. I wrote a Medium post about it too. If server’s database is compromised, any password can be brute forced, because the server stores the salt. So just try many passwords + salt combinations, until you can decrypt user’s record. That’s why the RFC suggests to use Scrypt. However, the whole point of OPAQUE is to allow relatively weak passwords. (Strong passwords can just form crypto keys directly, and the whole OPAQUE is not needed).

Even without brute forcing the password, such database can be used to simulate a MITM and cause the user to trust the server, which opens the door to Fishing, to collect the cleartext password.

The course of history is determined by the spreading of ideas. I’m spreading the good ones.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store