DEV Community

Discussion on: A Guide to Securing Node.js Applications

 
andreidascalu profile image
Andrei Dascalu • Edited

Absolutely, password are deprecated. That's why nobody uses them anymore and the very few websites that use them are compromised 10 times a day.
Just gonna send an email link to an email address based solely on the existence of that email, which the user is going to access with a ... password. There, the bucket was kicked down the road a bit more.
Points:

  • passwords are acceptable. Not great or perfect, but acceptable. YOUR system needs to be secure, but you can't aim to protect people from themselves. There's no way to do that reliably that doesn't also deterr users from using your system. Sure, if you have a role system whereby a compromised account can be user to elevate access, then it stands to reason to aim higher - but that's not useful for end-user facing systems.
  • there are good systems of user/access management that you can reliably defer authentication and authorization to (Azure AD or even identity management systems like Okta). It's not necessarily because they are password-less but because authentication can be customized (eg: you can let the users decide what they want to login with: password, social, user management systems, magic links or simply default authentication to the use of given networks) and you can also restrict access based on chosen methods or disable certain methods in certain situations (eg: with Okta you can enable facebook login but say facebook has a breach -> then you can relegate facebook-enabled accounts to a different method).
Thread Thread
 
thedaveamour profile image
David Amour

"That's why nobody uses them anymore and the very few websites that use them are compromised 10 times a day" - What is your source for these facts, or are they just opinion?

Thread Thread
 
andreidascalu profile image
Andrei Dascalu

sarcasm

Thread Thread
 
thedaveamour profile image
David Amour

Ok. Funny then but not helpful.

Thread Thread
 
andreidascalu profile image
Andrei Dascalu • Edited

That's what the second part of the post was for. Unless you're looking for validation.