In this video, we will dive into some best practices of implementing your own authentication on the web.
- CAPTCHA and ReCAPTCHA: these are methods/services to verify that a human is the actual one performing an action. When you see fields that make you put the letters in a picture in, or in the case of ReCAPTCHA to select pictures with certain objects, you’re using a CAPTCHA system. CAPTCHAs evolved out of academic research at Carnegie Mellon by Nick Hopper and Manuel Blum.
Let's dive into some of the best practices of 0:00 implementing your own authentication on the web. 0:03 Hash passwords, when storing users' passwords, the most important 0:07 think to keep in mind is that you should always hash your passwords. 0:12 Hashing is a one-way process of securing data with a strong algorithm. 0:17 Without getting too much into the cryptography of hashing, essentially, 0:23 as of 2017, you should be using the bcrypt hashing 0:28 algorithm which has implementations in every major language. 0:32 The hash password can never be retrieved in plain text. 0:37 Instead, the entered password is hashed in the same way as the stored password. 0:41 These 2 hashes are then compared to verify a match. 0:48 Due to the way bcrypt works, if anyone compromises your server and 0:53 gets their hands on your hashed passwords, 0:58 it will usually take longer than the lifetime of the known universe 1:01 to reverse the hash, with even the strongest modern super computers. 1:05 Remember, hash your passwords, never encrypt them. 1:10 If someone steals the key that you used to encrypt passwords, 1:14 then you might as well have never encrypted them. 1:18 And managing a cryptographic key in the business logic of 1:21 a web application is a very risky move. 1:25 If you can decrypt a password, then so can someone else. 1:28 Verify email addresses. 1:32 When you do provide your own sign-up mechanism, you should verify the email 1:37 addresses you ask your users to provide, assuming you use that in the process. 1:42 This is one step in preventing malicious users from abusing your service and 1:48 registering mass accounts at once. 1:53 However, this is not an all-in-one protection against login abuse. 1:56 Use CAPTCHAs. 2:01 You should also consider using a CAPTCHA system such as Google's reCAPTCHA 2:03 in order to deter bots from signing up on your site. 2:08 Implement rate limiting. 2:12 Another common practice is to limit the number of login requests from a single IP 2:15 address or client over a period of time. 2:20 For example, if you notice that a single IP 2:24 address has attempted to log in 20 times in the last 5 minutes, 2:27 you should respond with an access denied for a certain amount of time. 2:32 This prevents automated services from either trying to guess your 2:37 users' passwords or creating massive amounts of users at once. 2:41 However, you should be careful when rate limiting by IP as some 2:45 networks proxy many users through the same IP. 2:49 In general, whenever you can rate limit via a known user token, 2:54 that is the preferred method. 2:58 Allow or require 2-factor authentication for users. 3:01 The final security measure you can provide your user 3:06 is the ability to use 2-factor authentication. 3:09 You can do this easily through SDKs and 3:13 libraries available in nearly every language. 3:15 Keep in mind that using SMS for 2-factor authentication is now discouraged 3:19 as attackers can easily spoof phone numbers. 3:24 Because of broken processes, many Internet and 3:28 phone service providers allow anyone with a small amount of personal information 3:31 to get access to a person's text messages. 3:36 Attackers can now get the same text messages you send to a user's phone for 3:39 2-factor authentication, allowing them to log in before the victim does. 3:44 Therefore, using 2-factor authentication from services like 3:49 Google Authenticator, do a security, and Authy is recommended. 3:54 Again, libraries and APIs exist for 4:00 each of these providers and are often free to use. 4:04
You need to sign up for Treehouse in order to download course files.Sign up