• I make websites
  • If someone is banned twice (two accounts) I want it to take them more than 5min and a VPN to make a 3rd account
  • I’m okay with extreme solutions, like requiring everyone to have a Yubikey-or-similar physical key
  • I really hate the trend of relying on a phone number or Google capcha as a not-a-bot detection. Both have tons of problems
  • but spam (automated account creation) is a real problem

What kind of auth should I use for my websites?

@TCB13@lemmy.world
link
fedilink
6
edit-2
7M

For the first issue you may as well add the “yahoo trick” (from before SSL) and pre-hash your user’s password with a random string (provided by the back-end) once the before sending them.

The ideia is that once the person opens the login page your backend will generate a random string and save it for the session, also sends it to the frontend. Then when the user clicks login your frontend does sha512( sha512(password) + random_string ) and sends the results to the backend. Then the backend knows who’s session that is, retrieves the previously generated string from the database and does sha512( stored_password_hash + random_string ). This can be further improved by adding a TTL to the random string, make sure you delete them once the login is successful, force the frontend to refresh the login page on error and issue a new string (just don’t sent a refresh over XHR as it will can be picked by bots / make an attacker life easier.

Note 1: that the frontend first hashes the password and THEN concatenates the random string and hashed again - this has to be made this way because your server should only store hashed versions of your password.

Note 2: consider the implications of just doing SHA512, stronger algos like bcrypt, PBKDF2, and scrypt should always be used, I was just explaining what can be done and the process.

Note 3: consider the usability / accessibility / password managers when creating fields dynamically and with random IDs.

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 57 users / day
  • 383 users / week
  • 1.5K users / month
  • 5.7K users / 6 months
  • 1 subscriber
  • 2.97K Posts
  • 74.6K Comments
  • Modlog