Jump to content

dont show the server passwords


benbyf
 Share

Recommended Posts

Hi,

I posted a question on Stack and as yet not got an anwser that is something novel. I'm interested to know if this worries anyone else and whether we can do something about it.

So here goes:

If a user logins to your online sevice, let's say a job posting site, they give you an email and password to access your service later... Lets say a malicous person with access to the server could write into the template to store the passwords as plain text somewhere. Given that people generally don't use a new password for each website, now that malicious person has the potential to access other online services using these details (where there isn't any secondly security like 2-factor).

Is there anything we can do to battle this? In an ideal world, maybe setting up a zero-knowledge algorithm to log people in and out...

https://security.stackexchange.com/questions/155806/what-to-do-about-compremised-passwords-through-malicious-sites-or-site-hacks/155823#155823

 

food for thought

Link to comment
Share on other sites

31 minutes ago, szabesz said:

You mean Auth0? How about you join forces and release a module? I would love to help by testing ;) 

Yep, I used Auth0 API for that. In the end, it was simpler than I thought it will be. 

I can send you the module source code but it's not ready for open source, need documentation and maybe a cleanup. Would you like to do that?

  • Like 2
Link to comment
Share on other sites

Maybe I can create a PW site profile based on the default profile with just this module and its required fields and release it here. I think it will be better as I may have a lot of details to explain in text and using code is easier. What do you guys think?

  • Like 3
Link to comment
Share on other sites

52 minutes ago, Sérgio said:

Maybe I can create a PW site profile based on the default profile...

I like the idea :) I would be happy to contribute by providing the bases of a documentation, if you think it works that way.

Link to comment
Share on other sites

@Sérgio I took another look at the Auth0 site (pricing) and I noticed that "User management dashboard" is not included in the free plan. Is it an issue? Or is there a "workaround" for this "limitation"? Can some other features be used instead of this "missing dashboard"? I'm asking this because otherwise the free plan would completely cover my client's needs.

Edited by szabesz
typo
Link to comment
Share on other sites

Am i right in saying Auth0 passwordless is based on the magic link, could we not take the idea and make a implmentation of our own in PW as there doesnt seem to be too many moving parts.

Link to comment
Share on other sites

I've done an implementation of "magic link" logins via email on a previous (non-PW) site using HMAC SHA1 to avoid having to store passwords.

On an upcoming site, I plan to do a similar thing but using JWTs to encode and verify the data, as it's a better standard than just concatenating a bunch of values :)

  • Like 2
Link to comment
Share on other sites

33 minutes ago, benbyf said:

Am i right in saying Auth0 passwordless is based on the magic link, could we not take the idea and make a implmentation of our own in PW as there doesnt seem to be too many moving parts.

 
 
 

There's a lot of thinking behind the magic link solution, the guys at Auth0 handle all the heavy load of checking and trust the user signing. I won't dare to implement such feature myself if I were you. That's a LOT of time to invest. 

  • Like 1
Link to comment
Share on other sites

57 minutes ago, szabesz said:

@Sérgio I took another look at the Auth0 site (pricing) and I noticed that "User management dashboard" is not included in the free plan. Is it an issue? Or is there a "workaround" for this "limitation"? Can some other features be used instead of this "missing dashboard"? I'm asking this because otherwise the free plan would completely cover my client's needs.

 

The thing is, I don't know how but I can access the user dashboard on my free plan. Maybe when I signed up, they gave me access to it. :) BUT it's not something you will really need because you can manage the users on PW's admin just fine. The dashboard is useful for projects that don't have an admin, I think.

  • Like 1
Link to comment
Share on other sites

1 hour ago, szabesz said:

I like the idea :) I would be happy to contribute by providing the bases of a documentation, if you think it works that way.

I dig that! Let me find some time to put things together and we'll talk, ok?

  • Like 1
Link to comment
Share on other sites

 Share

×
×
  • Create New...