[Evans] This helps a little bit but doesn't avoid many of the problems with passwords.
One big problem with passwords is that they're reused.
There are lots of ways to reuse passwords.
Some of this is using the same password across many sites.
That's not what I'm talking about here.
I'm talking about the point that every time Alice logs in
she enters the same exact password.
The password is the same until she does something to change it.
So she's typing the same password many times.
This means if there is something logging what she types,
it will learn her password if she types it in an Internet cafe
or somewhere where it's visible to someone looking over her shoulder--
a shoulder surfer.
It's also the case that her device that she enters her password in
would start to have smudges where she types her password.
This is a particular problem for short PINs on smartphones
that are entered so many times that finger smudges start to give an idea
of what the password might be.
All of these problems stem from using the same password every time she logs in.
So we're going to talk about one way to avoid that, which is to use a hash chain.
Hash chains have lots of interesting applications.
In this case, we're going to use a hash chain to make it so we still have the nice property
that we had with the password file where the server stores no secrets.
It doesn't matter if all the data on the server is compromised.
That still wouldn't give someone the ability to log in as Alice.
