My last school used my SSN as the default account password.
Just to test, I used the “forgot password” functionality, and they sent me my SSN over clear text.

As a developer, I see that as 2 mortal sins 😡

!security

(Less a rant; more just annoyance)

The codebase at work has a public-facing admin login page. It isn't linked anywhere, so you must know the url to log in. It doesn't rate-limit you, or prevent attempts after `n` failures.

The passwords aren't stored in cleartext, thankfully. But reality isn't too much better: they're salted with an arbitrary string and MD5'd. The salt is pretty easy to guess. It's literally the company name + "Admin" 🙄

Admin passwords are also stored (hashed) in the seeds.rb file; fortunately on a private repo. (Depressingly, the database creds are stored in plain text in their own config file, but that's another project for another day.)

I'm going to rip out all of the authentication cruft and replace it with a proper bcrypt approach, temporary lockouts, rate limiting, and maybe with some clientside hashing, too, for added transport security.

But it's friday, so I must unfortunately wait. :<

pwd salting

I am working on a project with a retard.
I am supposed to focus on the mobile apps but the backend guy doesn't know shit about REST.I spend more time teaching him how to serialize data into JSON and telling him not to store passwords as plaintext(He's now using md5 despite me telling him to use bcrypt) than developing the mobile apps am supposed to.
Guess who will be blamed for missing the deadline?
Yea, it's me.
Guess who will get the credits for the backend i am developing?
Yea, it's him.
Fuck!

So our teacher just has us sign up for a learning site called Gizmos with a ton of students information. A lot of students forgot their password as always and some didn't register with an email so I expected the teacher to reset them..

Then the teacher had students come up to the front of the f****** class and SHOWED THEM THEIR PASSWORD IN PLAIN TEXT. WHAT THE HELL

i want to get my own social network up and running.

so far ive got -
login 100% securely
register (1000% securely)
view someone’s profile (10^7% securely)

to add -
scrypt (maybe bcrypt, however scrypt looks like the better option)
friend a user
track their every move (ill use facebooks and googles apis for that)

to describe my product -
ai
blockchain
iot
big data
machine learning
secure
empower
analysis

call me when im a gazillionaire

but seriously, im making a social network and i hope its done by wk105 tbh

Best:
- optimized a lot of queries and pieces of code
- graduated from the dutch equivalent of community college
- started a new education
- updated our password schema from a shameful algorithm to bcrypt

Worst:
- haven't been able to convince my colleague and bosses to automate stuff
- still no tests
- still a php dev
- still alone

2018:
Come at me with your c++ and robots! I'll fucking master you!

Fuck React!
Fuck BCryptjs!!
Fuck Insomnia!!!
Fuck ExpressJs!!!
Fuck MongoDB!!!!!!
Fuck Case sensitivity!!!
Fuck Nodemon!!!!
Fuck coding!!!!!

hashing passwords atm.

i have a java backend, should i look into bcrypt or just use a loop?

also how many times would you recommend i hash passwords?

and should i look into hardware acceleration?

Lesson learned: Always use node LTS in production, library maintainers are lazy af.

password_hash

easiest way to do secure passwords as long as you use bcrypt

why should i use scrypt over bcrypt if moore's law is coming to an end?

When you keep telling your boss that you remade one of their sites so that it has BCrypt(currently use SHA-512),CSRF checks, stricter Auth/Cookie encryption and that we should swap it and all he says we will get to it.

wot n tarnation-_-

When did we decide managing Users through Cloud REST architecture was more secure than having them in an underlying DB?

Because I can't put my finger on exactly why... but I don't like it and I think it's probably less secure... and just spawned from the need to be able to make user management a subscription based service like fucking everything? When a simple MySQL or postgres and some bcrypt somewhere would be both more secure and infinitely cheaper?

I'm more used to consuming REST API's than writing them. Can any you REST peeps help me understand how a REST API could be made as secure as a SQL DB connection for user management?

What do you think the attack vectors are for a REST API User Management? Like... what's the SQL injection of REST API? Pack some extra JSON somewhere or something?

At least if I can have faith my shit's not gonna get hacked because I have to use a 3rd party REST service for User Management of Users to my own fucking app I can maybe sleep tonight.

Trying to make a nodejs backend is pure hell. It doesn't contain much builtin functionality in the first place and so you are forced to get a sea of smaller packages to make something that should be already baked in to happen. Momentjs and dayjs has thought nodejs devs nothing about the fact node runtime must not be as restrained as a browser js runtime. Now we are getting temporal api in browser js runtime and hopefully we can finally handle timezone hell without going insane. But this highlights the issue with node. Why wait for it to be included in js standard to finally be a thing. develop it beforehand. why are you beholden to Ecma standard. They write standards for web browser not node backend for god sake.

Also, authentication shouldn't be that complicated. I shouldn't be forced to create my own auth. In laravel scaffolding is already there and is asking you to get it going. In nodejs you have to get jwt working. I understand that you can get such scaffolding online with git clone but why? why express doesn't provide buildtin functions for authentication? Why for gods sake, you "npm install bcrypt"? I have to hash my own password before hand. I mean, realistically speaking nodejs is builtin with cryptography libraries. Hashmap literally uses hashing. Why can't it be builtin. I supposed any API needed auth. Instead I have to sign and verfiy my token and create middlewares for the job of making sure routes are protected.

I like the concept of bidirectional communication of node and the ugly thing, it's not impressive. any goddamn programming language used for web dev should realistically sustain two-way communication. It just a question of scaling, but if you have a backend that leverages usockets you can never go wrong. Because it's written in c. Just keep server running and sending data packets and responding to them, and don't finalize request and clean up after you serve it just keep waiting for new event.

Anyway, I hope out of this confused mess we call nodejs backend comes clean solutions just like Laravel came to clean the mess that was PHP backend back then.

Express is overrated by the way, and mongodb feels like a really ludicrous idea. we now need graphql in goddamn backend because of mongodb and it's cousins of nosql databases.