OPAQUE Protocol Explained: Why Your Password Should Never Touch the Server
Every time you log into a website, you're performing one of the most dangerous operations in cybersecurity: transmitting proof of your identity. For decades, we've relied on a fundamentally flawed approach — sending password hashes to servers. OPAQUE changes everything.
The Fundamental Flaw
In traditional authentication, here's what happens when you type your password:
- Your password is hashed (e.g., with bcrypt or PBKDF2)
- The hash is sent to the server over TLS
- The server compares it with the stored hash
This seems secure, but it has critical weaknesses:
- The server stores password hashes. If breached, attackers can attempt offline brute-force attacks against every hash in the database.
- The hash is transmitted. Even over TLS, the hash passes through memory on the server side, where it could be intercepted by a compromised process.
- Pre-computation attacks. Attackers can pre-compute hashes for common passwords and compare them against stolen databases.
What is OPAQUE?
OPAQUE (RFC 9807) is an asymmetric Password-Authenticated Key Exchange (aPAKE) protocol. In simple terms, it allows you to prove you know a password without the server ever learning anything about it — not the password, not a hash, not even an encrypted form of it.
How OPAQUE Works
OPAQUE has two phases:
Registration (one-time setup)
- Your device generates a random key pair and an "envelope" containing your encryption keys
- The envelope is encrypted with a key derived from your password
- The encrypted envelope and the public key are sent to the server
- The server stores these — but cannot open the envelope without your password
Authentication (every login)
- Your device initiates a cryptographic exchange with the server
- Through the magic of Oblivious Pseudo-Random Functions (OPRF), the server helps your device derive the correct key — without learning what that key is
- Your device decrypts the envelope and recovers its private key
- Both sides establish a shared session key through key exchange
At no point does the server see your password or anything derived from it. The server assists in the computation without gaining knowledge — this is the "oblivious" part.
Why This Matters for Password Managers
For a password manager, the authentication protocol is the front door to your entire digital life. If an attacker compromises the authentication system, everything is exposed. OPAQUE provides:
- Breach resistance: A database dump is useless — there are no hashes to crack
- Phishing resistance: The protocol is bound to the server's identity, making man-in-the-middle attacks detectable
- Forward secrecy: Each session uses fresh keys, so compromising one session doesn't reveal past or future sessions
- No password-equivalent storage: Unlike bcrypt hashes, the server's stored data cannot be used to impersonate the user
OPAQUE vs. Other Approaches
| Approach | Password transmitted? | Hash stored on server? | Offline attack possible? |
|---|---|---|---|
| Traditional (bcrypt) | Yes (hash) | Yes | Yes |
| SRP | No | Verifier (equivalent) | Partial |
| OPAQUE | No | No (opaque envelope) | No |
The State of Adoption
OPAQUE became RFC 9807 in 2024, giving it the formal standardization needed for enterprise adoption. While most of the industry still uses bcrypt or Argon2id hashes with traditional transmission, forward-thinking security products are beginning to adopt OPAQUE.
SandPass implements OPAQUE using the @serenity-kit/opaque library — a well-audited, WASM-based implementation that runs entirely in the browser. Combined with Argon2id key derivation and AES-256-GCM encryption, it provides a complete zero-knowledge stack.
Conclusion
OPAQUE represents a paradigm shift in authentication. Instead of hoping your password hash won't be stolen and cracked, OPAQUE ensures there's nothing useful to steal in the first place. For password managers — where the stakes are your entire digital identity — this isn't optional. It's essential.