Secure remote password

1. Signup

- Your browser transfers an encrypted verifier based your password. But it does not send the password itself. -

Features

Mutual handshake - validates server on login
Using strong cryptography
No eavesdropping on the network
Challange response prevents replay attacs
Seeding prevents dictionary attacs on the server

2. Login

Resources

- You enter your password - your browser exchanges encrypted data with the site to check if it was the right one. + Official website at Stanford

3. Verify

- You can see from the logs that your password was not send. The login process is different each time so it can't be replayed. + Wikipedia Article on SRP

Libraries and Implementations:

+ C library + with telnet and ftp (scroll down) +
+ Open SSL patches +
+ Java and C# implementations +

1. Signup

+ Your browser transfers an encrypted verifier based your password. But it does not send the password itself. +

<% if @user %>

You are signed up as <%= @user.login %>.

<% end %> + <%= button_link(:signup, :primary => !@user) %>

2. Login

+ You enter your password - your browser exchanges encrypted data with the site to check if it was the right one. +

<% if @user && @user.active %>

You are logged in.

<% end %> + <%= button_link(:login, :primary => @user && !@user.active) %>

3. Verify

+ You can see from the logs that your password was not send. The login process is different each time so it can't be replayed. +

+ <%= button_link(:verify, :primary => @user && @user.active) %>

- <%= button_link(:signup, :primary => !@user) %>

- <%= button_link(:login, :primary => @user && !@user.active) %>

- <%= button_link(:verify, :primary => @user && @user.active) %>

- - - - +

1. Signup

Features

2. Login

Resources

3. Verify

Try it ... It works just like a normal password - but it's more save.

1. Signup

You are signed up as <%= @user.login %>.

2. Login

You are logged in.

3. Verify