data recovery, and plus, every management system needs an admin account, so, technically, this is that admin account, but instead, just a key to manage everything
2 Likes
What you would do instead is just allowing the user to request a password reset, you simply don’t ever store the user’s password in plain text or encrypt it. Even just hashing isn’t good enough. You should hash and salt. All other ways of storing passwords are naive and insecure approaches and just should not be used.
3 Likes
I would look into using this for more non-sensitive info (maybe for less secure forms).
I would just like to see better docs to make it more friendly towards newer users.
2 Likes
that is exactly what it should be used for, more or less, private things/ large projects, using it server side only, and not served as a web page for large things, it has multiple combinations…
server side only ( recommended for starter projects )
server side + database management ( private projects )
server side + client side ( private projects/large projects )
client side only ( large projects )
also, docs are being developed, i am with taking the slow time consuming task atm
1 Like
Passwords should not be stored unhashed, let me put you through this scenerio.
-
We can agree that people tend to use their password on most of their stuff, for instance, a person might use the same password on Youtube, as they do on their email account. Let’s be honest, you probably also do the same.
-
We now have established that most people use the same password across multiple places.
-
A sudden glitch server administrator decides to go rogue, they just access your project with no implications what so ever. They find your encryption key within seconds, they now have a database with a lot of encrypted passwords, but since this rogue system administrator has the key, they decrypt all the passwords. The rogue system administrator now has all the passwords.
-
He tests all the passwords and users and etc, and he appears to have found a google account using the same credentials, this is just after 10 minutes of getting access to your project, decrypting the passwords and testing a few accounts.
-
He realizes that the google account has a credit card linked to it, he saves this account for later use.
-
He continues to test usernames, emails and passwords, and he now has a lot of personal information, all because of how you stored the passwords.
You shouldn’t just assume that just because only you have access to the key, your system is secure, it isn’t. If you do just one small mistake, it can be at the cost of others. I consider the fact that you don’t take security seriously as disrectful upon the users who use your services. And it makes you plently less trustworthy. Just saying.
8 Likes
While this is an extreme scenario, it could definitely happen.
I personally just feel a lot more comfortable knowing that my passwords cannot be access.
5 Likes
1 Like
it could happen, a datacenters admin got into a nordvpn server before iirc
2 Likes
ok, i will think about maybe changing it up, but we still will aim for the ability to see passwords, reee
1 Like
that’s still a massive issue
2 Likes
If the case here is that you don’t know how to implement a login strategy here is an example.
const { hash, test } = require("ihacks-hash");
function registerUser (username, password)
{
const user = { username, hash: hash("sha512", password) };
storeUserInDatabaseSomehow(user);
}
function loginUser (username, password)
{
const user = getUserFromDatabaseSomehow(username);
const isPasswordValid = test(user.hash, password);
if (isPasswordValid) return user;
else return null;
}
1 Like
I’ve seen/known of many companies that have done this and 80% of them have been breached
6 Likes
hmmmmmm, looks promising, we MAY use it, so, maybe…
1 Like
And most of them used VERY STRONG AND ADVANCED ENCRYPTION, which is something I doubt you know much of, sorry.
P.S. I’m not trying to be rude, I’m trying to point out the fact that passwords should be treated with utterly respect and measures of security. Encrypting passwords is just something you don’t do. Think of it like this, would you like me having a picture of your credit card details (if you hav any)? You don’t know what I do with it, but I have them and can share them worldwide if I feel like it. That wouldn’t be fun, would it?
4 Likes
1 Like
Simply don’t store plaintext/encrypted passwords anywhere.
5 Likes
I’m not saying that will prevent a possible breach but it will make it a lot more difficult
2 Likes
let’s be honest, vulnerabilities will always exist but its always the best idea to try to prevent them from happening
3 Likes
I am saying this for the last time,
WE will not be showing user passwords.
We will not change our decision
1 Like
also just as feedback I think many people would rather use their own login systems rather than using someone else’s where security cant always be guaranteed.
Edit: also if lets say i had my own login, I could fix it as soon as I found an issue or if a hired professional found an issue. With a database like this you will have to wait for the dev to fix this error and hope that your site wasn’t impacted.
4 Likes