dont show the server passwords

benbyf · April 6, 2017

Hi,

I posted a question on Stack and as yet not got an anwser that is something novel. I'm interested to know if this worries anyone else and whether we can do something about it.

So here goes:

If a user logins to your online sevice, let's say a job posting site, they give you an email and password to access your service later... Lets say a malicous person with access to the server could write into the template to store the passwords as plain text somewhere. Given that people generally don't use a new password for each website, now that malicious person has the potential to access other online services using these details (where there isn't any secondly security like 2-factor).

Is there anything we can do to battle this? In an ideal world, maybe setting up a zero-knowledge algorithm to log people in and out...

https://security.stackexchange.com/questions/155806/what-to-do-about-compremised-passwords-through-malicious-sites-or-site-hacks/155823#155823

food for thought

Sergio · April 6, 2017

That's the main reason I decided to embrace "Passwordless" login. No more support messages "I can't change my password" anymore!!

szabesz · April 6, 2017

15 minutes ago, Sérgio said:

to embrace "Passwordless" login.

You mean Auth0? How about you join forces and release a module? I would love to help by testing

Sergio · April 6, 2017

31 minutes ago, szabesz said:

You mean Auth0? How about you join forces and release a module? I would love to help by testing

Yep, I used Auth0 API for that. In the end, it was simpler than I thought it will be.

I can send you the module source code but it's not ready for open source, need documentation and maybe a cleanup. Would you like to do that?

Sergio · April 6, 2017

Maybe I can create a PW site profile based on the default profile with just this module and its required fields and release it here. I think it will be better as I may have a lot of details to explain in text and using code is easier. What do you guys think?

benbyf · April 6, 2017

looks interesting, does a magic link solve this issue for you guys then you think as there's no passwords present just a mobile or email?

szabesz · April 6, 2017

52 minutes ago, Sérgio said:

Maybe I can create a PW site profile based on the default profile...

I like the idea I would be happy to contribute by providing the bases of a documentation, if you think it works that way.

szabesz · April 6, 2017

@Sérgio I took another look at the Auth0 site (pricing) and I noticed that "User management dashboard" is not included in the free plan. Is it an issue? Or is there a "workaround" for this "limitation"? Can some other features be used instead of this "missing dashboard"? I'm asking this because otherwise the free plan would completely cover my client's needs.

Edited April 6, 2017 by szabesz
typo

benbyf · April 6, 2017

Am i right in saying Auth0 passwordless is based on the magic link, could we not take the idea and make a implmentation of our own in PW as there doesnt seem to be too many moving parts.

szabesz · April 6, 2017

Sorry @benbyf for hijacking your thread, it wasn't my intention. I do not think Auth0 should be part of your profile/module, since it is a paid service.

benbyf · April 6, 2017

no worries, interesting to know whats out there etc

Craig · April 6, 2017

I've done an implementation of "magic link" logins via email on a previous (non-PW) site using HMAC SHA1 to avoid having to store passwords.

On an upcoming site, I plan to do a similar thing but using JWTs to encode and verify the data, as it's a better standard than just concatenating a bunch of values

Sergio · April 6, 2017

33 minutes ago, benbyf said:

Am i right in saying Auth0 passwordless is based on the magic link, could we not take the idea and make a implmentation of our own in PW as there doesnt seem to be too many moving parts.

There's a lot of thinking behind the magic link solution, the guys at Auth0 handle all the heavy load of checking and trust the user signing. I won't dare to implement such feature myself if I were you. That's a LOT of time to invest.

Sergio · April 6, 2017

57 minutes ago, szabesz said:

@Sérgio I took another look at the Auth0 site (pricing) and I noticed that "User management dashboard" is not included in the free plan. Is it an issue? Or is there a "workaround" for this "limitation"? Can some other features be used instead of this "missing dashboard"? I'm asking this because otherwise the free plan would completely cover my client's needs.

The thing is, I don't know how but I can access the user dashboard on my free plan. Maybe when I signed up, they gave me access to it. BUT it's not something you will really need because you can manage the users on PW's admin just fine. The dashboard is useful for projects that don't have an admin, I think.

Sergio · April 6, 2017

1 hour ago, szabesz said:

I like the idea I would be happy to contribute by providing the bases of a documentation, if you think it works that way.

I dig that! Let me find some time to put things together and we'll talk, ok?

szabesz · April 6, 2017

6 minutes ago, Sérgio said:

I dig that! Let me find some time to put things together and we'll talk, ok?

Cool

benbyf · April 6, 2017

i love bringing people together

Sign In

dont show the server passwords

Recommended Posts

benbyf

Sergio

szabesz

Sergio

Sergio

benbyf

szabesz

szabesz

benbyf

szabesz

benbyf

Craig

Sergio

Sergio

Sergio

szabesz

benbyf

Recently Browsing 0 members

Similar Content

[SOLVED] allow users to input css code inside module configuration and sanitize value

Help with redirect

Help with restricting user to only his front end profile page

Merging two users?

Admin Theme Not Saved at New User Creation?

Browse

Activity

My Activity Streams

Support

Store

My Details