54
linuxxx
6y

Working on the notes service and I'm still at the signup/login/password reset part.

Spending hours on thinking the process through, trying to think of any possible weaknesses in the system and writing patches right away.
I find it funny how thinking through every step (code-wise and user-wise) gives a very broad overview of how secure/insecure this thing is.

I fucking love doing this.

Comments
  • 1
    Why not use any libraries (open source) which are vetted by many?
  • 2
    Don’t do passwords yourself - not for production at least -your going to get it wrong
  • 1
    @yendenikhil Any links/sources on that? I'd love to see them!
  • 3
    @windlessuser What do you mean? I'm using BCrypt in the most widely recommended way.
  • 5
    Look into laravel, one of the biggest Foss php frameworks. It does a whole bunch of things for you including security.

    Also, for your algo of choice, please use bcrypt, and if you use php, please use the password library that's built in to easily switch if an algo is fucked
  • 1
    @linuxxx bcrypt is good. But that's just salting and hashing part. What's your stack? Php or node or Ruby or something else.

    E.g. for node there is passport http://www.passportjs.org/
  • 4
    @windlessuser @linuxxx Would be the last person on our earth to implement an 'Login with <shitty service>' option. Better of just making your own login system.
  • 9
    @olback Oh I'll never implement login's with other services. For example, login through Google would mean someone having to go through Google login meaning having them go through Google and at least one mass surveillance network. Hell nope for me haha!
  • 1
    @linuxxx make your own oauth2 service to login to all is your services!
  • 2
    @yendenikhil Using the general stack I always use, LEMP :)
  • 2
    @yendenikhil Maybe later! Hardly know anything about it currently so I wouldn't even trust the security myseld.
  • 1
    @linuxxx doesn’t have to be a service, just use a standard like OAuth2 with JWT
  • 1
    Just know that implementing your own logic to salt and hash passwords is a big no no lol
  • 2
    @linuxxx sorry don't know much about php but there are many who are already shedding their opinion
    😆
  • 2
    @windlessuser I know that implementing your own shit like that isn't a good idea.

    Using the php provided crypt functions which are recommended all over the net and also asked a very good security person on here :)
  • 1
    @windlessuser the password hash function in PHP is safe. It uses bcrypt by default and generates a random hash with open SSL or /dev/urandom.
  • 1
    That is a nice rant
  • 4
    I think laravel does this pretty good, you might want to have a look at it. Checking if you missed something, or they ;)

    https://laravel.com/docs/5.6/...

    And if you use laravel its so easy to implement in your project. You only need to do:

    php artisan make:auth
  • 2
    @MisterArie I do not use laravel haha. Combo of Slim and my own code. Thanks for the link!
  • 2
    I did exactly the same the last 3-4 hours! It's awesome and one also learns so much :)
  • 3
    Hahahaha been doing exactly the same thing for a week now.

    Crunching a "state of the art" security for a side project :)
  • 3
    @yendenikhil OAuth2 is significantly less secure than OAuth.
  • 0
    Why are you trying to reinvent the wheel?
  • 7
    @akarshsatija Because by doing that I learn a lot.
  • 1
    @linuxxx ofc don't forget about SSL and Csrf 😉
  • 1
    @Root o.O. I was not aware. Then I need to do some ddging.
  • 3
    @incognito SSL is ALWAYS the first thing I setup for any domain! And csrf, don't worry about that one 😊
  • 2
    @yendenikhil They're quite different and solve different problems for different usecases.

    Always learn about your tools 😊
  • 1
    @Root I do too but apparently my understanding about it's security part! I'm glad I'm on this platform! Thanks!
  • 1
    @linuxxx That's for people that already use Google, or any other service.

    If you are targeting the average Joe use what the average Joe wants/needs and that is login with Facebook/Google/Twitter/etc.

    Forcing people to create one more account and reuse one more time their crappy password on a possibly not-that-secure server is doing more harm than good.

    There is a reason way too many developers are not that good at making business decisions.

    If you are only targeting your tech savvy friends and colleagues then feel free to do whatever you think is morally superior.
  • 1
    @nickpapoutsis I'll never enable logging in from any service which is part of the prism program and too badly companies like Google and Facebook are part of exactly that.
  • 0
    @linuxxx The users already have accounts with Google, Facebook or whatever. By not enabling login with them you are not helping your users, you are just feeding your ego and giving yourself pats on the back.

    If there was the slightest of chances this would lead to less people using Google or Facebook then I would be on your side but it really doesn't.

    All you are doing is lose potential users and increase the attack surface for the vast majority of your users that tend to reuse passwords.
  • 3
    @nickpapoutsis This has nothing to do with my ego.

    This has everything to do with an ethical/moral dilemma and I've made my choice regarding it. Also this isn't a pat on my own back, respectfully, that's complete bullshit.

    For you, using those services might be the most normal thing in the world.

    For me, I'm trying to improve my ways of not even giving my laptop the ability to connect to any of those services every goddamn day.

    I'll have strong password rules and 2FA (about to write that one) enabled by default.

    I spend hours and hours on thinking about ways to address potential vulnerabilities and security testing everything myself and later on with other testers but I've got one very simple principle:

    Never integrate any service in any way which is integrated within a mass surveillance network. If users use them, their choice but not through my fucking service.

    If that makes me lose users, so be it.

    (@Root and @AlexDeLarge, could use your help on the google/fb etc login thingies which I refuse to implement for very valid reasons imo)
  • 2
    @linuxxx: @nickpapoutsis seems to be simply following popular trends and insulting those who do not.

    Exactly why he's incorrect isn't worth an explanation because I don't take his perspective seriously.
  • 0
    @linuxxx hey I totally agree about not connecting to mass surveillance (yay!). But I am bit worried about the part where you are reinventing the 2fa and password management. I have no doubt on your capability and passion about this part,but I feel reinventing wheel is dangerous. There are many frameworks who does this,they are open source and vetted by many people also they keep up to date with new issues found. If you decide to do that by yourself then you are locking yourself for more work as time progresses.
    I would suggest, to implement these yourself in dev to understand how they work, then use the framework which has this implemented (and if you find the framework lacking something then you can contribute it's open source repo to add that,either your changes will be accepted and you made something more robust / festure-rich or someone says this doesn't make sense due to reasons and you learnt something ).
    All in all you get robust framework, which you don't have to write grounds up, (maybe) contributed to it and helped the whole community!
    We are but "the dwarfs sitting on the shoulders of giant!"
  • 1
    @yendenikhil I agree concerning password management, but 2FA is relatively simple and should be an exercise for the dev.

    Alternatives like Devise that do everything for you actually increase workload in many cases because they're mysterious black boxes with magical settings and callbacks, and you have to consult the documentation every time you're trying to figure out wtf is going on. I hate Devise.

    Now if he's generating OTPs himself (e.g. authenticator) that would very likely be a vulnerability as it's very difficult to do correctly.
  • 1
    @yendenikhil I get your point but I don't get how following advice and code from many online resources (they all point to the same) and also from a fellow devRanter who's very good with security wouldn't be good practice?

    @Root I'm not working with that kind of 2FA, it will be as simple as email validation. Imo (correct me if wrong or anything) that's a good way to go with it.
  • 0
    @Root we have to make reasonable attempt to use well written libraries. Also, I always assume open source ones, though I'm not explicit to state so. I agree if the things can be done better by ourselves then write library (just to write once use multiple times, I'd still write library for 2fa). I'm coming from a place where what we do can be much more than helping us to run our app.

    @linuxxx I'm not against good practice from knowledgeable people (including you, whom I consider knowledgeable), but does good practice and lot of online read resources cover (almost) all known holes better than well written and well vetted library? In some cases the answer is yes but in many it is no! And you know, especially in security, your as strong as your weakest link. Having said that, I'll amend my earlier comment, saying, if you have something better, then refactor in separate library and open source it! To give back to community of which we use lot of resources and to put out in open for someone to break it so you (or them) to make it better. Isn't it one of the fundamentals of open source?
    Edit: you don't have to, the best part of open source community is it doesn't expect anything back! (Other than what license states of course)
  • 1
    @yendenikhil I just don't understand, I've mentioned multiple times that I'm using the things recommended everywhere. To be clear, those are one of the strongest hashing methods available and I'm using the official functions.....?
  • 1
Add Comment