Also of note is having to terminate a single TCP/TLS connection per client vs one for every concurrent client request! Even if you are using a middle man like a CDN doing HTTP 1.1 pooling this is still reducing the established TCP/TLS connections by an order of magnitude or more.
This code should just call sha1.New(). If for some reason these allocations are a performance issue it is very simple to fix that will a little pooling:
IMHO they should either just adopt Dave Cheney's errors package (https://github.com/pkg/errors) into the standard library or leave it as it is becoming the de-facto standard.
Your criticism (outside of complexity) of the suggestion may be unfounded, consider:
Client: asks server for nonce
Server: sends nonce
---- OR ----
Nonce arrives with login page
Client: sends HMAC(nonce + HMAC(username + password + appname) + Unix Epoch rounded to last 5 min block))
Server:
1. gets response
2. using username as key pulls HMAC(username + password + appname) from DB
3. Computes HMAC(last nonce sent to username + DB HMAC + Unix Epoch rounded to last 5 min block)) and compares to user token
4. last nonce is cleared
This algorithm would have prevented the attack (only the client computed HMAC would be in the logs) and is not subject to replay.
To be fair what you're describing is a PAKE, which is substantially different from "merely" moving the key-derivation functionality of password hashing from the server to the client. They're categorically different things. But you're right - if you're going down the rabbit hole of client-side hashing, you might as well implement a PAKE instead.
This kind of gets to the heart of what I was referring to when I said client-side hashes are like faster horses rather than cars. If you're spending this much effort, a superior protocol is better than an unorthodox, modified one. SRP is a PAKE which basically takes your proposal and moves it into a different layer of abstraction (TLS), and OPAQUE makes improvements upon it which allow you to use elliptic curves[1]. There are other reasons not to use PAKEs, but they're a much more coherent and defensible suggestion than just bolting the key derivation system onto the client rather than the server.
All the more reason to make the client side send HMAC(HMAC(username + password) + Unix Epoch rounded to last 5 min block)) over the wire in its POST to the auth endpoint.
All the transport encryption and DB encryption/hashing/salting won't protect you from this kind of logging mistake, but the above would.
P.S. There are ways to make the above even better by adding a nonce that has to be requested from the server before POST etc.
With all the brexit challanges, why not have a new referendum to "confirm the will of the people"? It seems doubtful it would pass this time, crisis averted?
Also, doesn't brexit basically guarantee Scottish independence? The Scotts were way more opposed to brexit than the English in the brexit referendum and their most recent independence referendum stated as a condition of the delay until the next independence referendum that the UK's relationship with the EU did not change? Is that right?
With all the brexit challanges, why not have a new referendum to "confirm the will of the people"?
It's unclear whether or not it will be possible to construct majority support in parliament for that at present. There's also the issue of legitimacy; while I don't agree with the view myself, there is concern that a second referendum smacks of an attitude of "you did it wrong the first time, try again". This is the outcome of a badly-designed referendum, which should probably have included a ratification vote.
While I'm a huge Scottish independence fan and would love this to be the case, the reality on the ground is more complex. The case for the previous independence vote in 2014 was based heavily on continued EU membership for both Scotland and the rest of the UK. An unstable, hard-Brexit neighbour will be difficult for Scotland, which is heavily intertwined economically, culturally and politically with the rest of the UK. Brexit probably enhances the emotional case, but doesn't help the practical one. Additionally, due to the constitutional structure of the UK, Scotland cannot hold a legitimate referendum on independence without the consent of the UK parliament – something which is unlikely to be granted any time soon.
