OPAQUE


The most common authentication method on the web is the use of passwords. The security of all of these systems relies on the security policies of remote sites to protect their user's credentials.
Please try out our demonstration but be aware that this is not a production system, that registrations persist for an hour and the user database is available for anyone to download*. DEMO
register and
login *It is our contention that a breached OPAQUE user database cannot divulge passwords.
When (not if) a service experiences a data breach, and user credentials are exposed, attackers can use those details to impersonate the affected users. The success of the attacker depends on two common premises: users tend to reuse passwords across services, and servers often lack good practices for password storage.
A better approach is to allow users to authenticate with a password that never leaves their computing device. Together with the Cloudflare Blog posts and the OPAQUE draft standard process we would like to maintain momentum towards this goal. The opaque-ts open source library used in this demo is self-contained and ready for use by servers and clients.
OPAQUE is a protocol that allows users to store secrets for safekeeping on a server, without giving the server access to those secrets. Instead of storing a traditional salted password hash, the server stores a secret envelope that is locked by two pieces of information: the password known only by the user, and a secret key known only by the server. To log in, the client initiates a cryptographic key exchange that reveals the envelope key only to the user, but not to the server.

Status


Demo users registered in the last hour:
Download user database
(including )

(Cache )