this post was submitted on 02 Nov 2023
107 points (99.1% liked)
Technology
59390 readers
3596 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Instead of having a secret that both you and the server share (password). Only you have the secret. Basically, what happens is that the server sends a message to your device encrypted that says, "If you are person, please give me back this code unencrypted." And then it gives a code, for example. Your device decrypts that using your secret that you keep and then tells the server the code and the only way to have gotten that code is for you to have successfully decrypted the message the server sent.
By doing it this way, if the server is ever compromised, then it contains no secrets for your account to be brute force decrypted by a hacker.
how does the server encrypt the message it sends without the secret? Or is that stored during sign up?
When you sign up, your device creates a public private key pair. It keeps the private key locally and sends the public key to the server. So instead of a username, you are nothing but a string of random characters representing your public key. You can see an example of this, if you go into the Linux terminal and type "ssh-keygen"
good explanation, thank you! I'm very familiar with ssh key auth so that makes sense