alt Hacker NewsI like it. Perhaps you can use a weird idea of mine.
You can discard/modify part of a password before sending it to your backend. Then, when you log in the server has to brute force the missing part.
One could extend this with security questions like how many children pets and cars you own. What color was your car in 2024. Use that data to aid brute forcing.
The goal would be to be able to decrypt with fewer than 5 shards but make it as computation heavy as you like. If no one remembers the pink car it will take x hours longer.
Replies
That sounds like a roundabout way of doing security questions... https://security.stackexchange.com/questions/186297/do-secur...
ohhhh that's brutal haha! for context my app runs entirely clientside, but I get it, it's an interesting idea...
That is a neat take on "key strengthening", or "peppering":
https://crypto.stackexchange.com/questions/20578/definition-...
This makes little sense, IMO. Information is information. There is no difference between this and just having a short/simple passphrase with the PKBDF iterations turned very high. You might as well shard secrets using Shamir and encode it via a modified version of BIP32 words.