dont show the server passwords

[benbyf]

Hi,

I posted a question on Stack and as yet not got an anwser that is something novel. I'm interested to know if this worries anyone else and whether we can do something about it.

So here goes:

If a user logins to your online sevice, let's say a job posting site, they give you an email and password to access your service later... Lets say a malicous person with access to the server could write into the template to store the passwords as plain text somewhere. Given that people generally don't use a new password for each website, now that malicious person has the potential to access other online services using these details (where there isn't any secondly security like 2-factor).

Is there anything we can do to battle this? In an ideal world, maybe setting up a zero-knowledge algorithm to log people in and out...

https://security.stackexchange.com/questions/155806/what-to-do-about-compremised-passwords-through-malicious-sites-or-site-hacks/155823#155823

 

food for thought

[Sergio]

That's the main reason I decided to embrace "Passwordless" login. No more support messages "I can't change my password" anymore!! 

[szabesz]

15 minutes ago, Sérgio said:

to embrace "Passwordless" login.

You mean Auth0? How about you join forces and release a module? I would love to help by testing  

[Sergio]

31 minutes ago, szabesz said:

You mean Auth0? How about you join forces and release a module? I would love to help by testing  

Yep, I used Auth0 API for that. In the end, it was simpler than I thought it will be. 

I can send you the module source code but it's not ready for open source, need documentation and maybe a cleanup. Would you like to do that?

[Sergio]

Maybe I can create a PW site profile based on the default profile with just this module and its required fields and release it here. I think it will be better as I may have a lot of details to explain in text and using code is easier. What do you guys think?

[benbyf]

looks interesting, does a magic link solve this issue for you guys then you think as there's no passwords present just a mobile or email?

[szabesz]

52 minutes ago, Sérgio said:

Maybe I can create a PW site profile based on the default profile...

I like the idea  I would be happy to contribute by providing the bases of a documentation, if you think it works that way.

[szabesz]

@Sérgio I took another look at the Auth0 site (pricing) and I noticed that "User management dashboard" is not included in the free plan. Is it an issue? Or is there a "workaround" for this "limitation"? Can some other features be used instead of this "missing dashboard"? I'm asking this because otherwise the free plan would completely cover my client's needs.

Edited April 6, 2017 by szabesz
typo

[benbyf]

Am i right in saying Auth0 passwordless is based on the magic link, could we not take the idea and make a implmentation of our own in PW as there doesnt seem to be too many moving parts.

[szabesz]

Sorry @benbyf for hijacking your thread, it wasn't my intention. I do not think Auth0 should be part of your profile/module, since it is a paid service.

[benbyf]

no worries, interesting to know whats out there etc

[Craig]

I've done an implementation of "magic link" logins via email on a previous (non-PW) site using HMAC SHA1 to avoid having to store passwords.

On an upcoming site, I plan to do a similar thing but using JWTs to encode and verify the data, as it's a better standard than just concatenating a bunch of values

[Sergio]

33 minutes ago, benbyf said:

Am i right in saying Auth0 passwordless is based on the magic link, could we not take the idea and make a implmentation of our own in PW as there doesnt seem to be too many moving parts.

 

 

 

There's a lot of thinking behind the magic link solution, the guys at Auth0 handle all the heavy load of checking and trust the user signing. I won't dare to implement such feature myself if I were you. That's a LOT of time to invest. 

[Sergio]

57 minutes ago, szabesz said:

@Sérgio I took another look at the Auth0 site (pricing) and I noticed that "User management dashboard" is not included in the free plan. Is it an issue? Or is there a "workaround" for this "limitation"? Can some other features be used instead of this "missing dashboard"? I'm asking this because otherwise the free plan would completely cover my client's needs.

 

The thing is, I don't know how but I can access the user dashboard on my free plan. Maybe when I signed up, they gave me access to it.  BUT it's not something you will really need because you can manage the users on PW's admin just fine. The dashboard is useful for projects that don't have an admin, I think.

[Sergio]

1 hour ago, szabesz said:

I like the idea  I would be happy to contribute by providing the bases of a documentation, if you think it works that way.

I dig that! Let me find some time to put things together and we'll talk, ok?

[szabesz]

6 minutes ago, Sérgio said:

I dig that! Let me find some time to put things together and we'll talk, ok?

Cool  

[benbyf]

i love bringing people together