Striving to become a master Go/Cloud developer; Father ๐จโ๐งโ๐ฆ; ๐ค/((Full Stack Web|Unity3D) + Developer)/g; Science supporter ๐ฉโ๐ฌ; https://coder.today
True but you realize that still FB is more secure then any custom login system a small company can create.
Yes, but we have to consider a few things:
yes FB is technically more secure than example.com, but trust is paramount, if you don't trust them it doesn't matter if they have world class programmers working on security
yes FB is technically more secure than example.com, but example.com is not an app designed to siphon ALL of your digital footprint and then monetize it, so if an hacker breaks into example.com they are likely to find out way less information about the user xyz
the hack was going on for months, they just noticed it a week ago because of unusual traffic patterns
I'm also not saying that OAuth shouldn't be used, I'm saying that maybe using only OAuth is not a great idea. Depends on the case, you have to balance the attack surface with the user experience. I think websites should have both custom and OAuth login.
A website that only knows my email and encrypts my password could not be a huge deal if broken into. A website that knows everything about its users IS a huge deal if broken into.
Facebook should make SMS-less 2FA mandatory, for example.
I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
Striving to become a master Go/Cloud developer; Father ๐จโ๐งโ๐ฆ; ๐ค/((Full Stack Web|Unity3D) + Developer)/g; Science supporter ๐ฉโ๐ฌ; https://coder.today
I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
No need to contact me, they just need to provide the email and everything will work as usual.
When they provide the email it is hashed as if it was to store in the database and then you try to find that hash in the database and on success you send an password recovery email.
The only limitation here is the user cannot recover the password by using only the username, it must provide always the email.
Striving to become a master Go/Cloud developer; Father ๐จโ๐งโ๐ฆ; ๐ค/((Full Stack Web|Unity3D) + Developer)/g; Science supporter ๐ฉโ๐ฌ; https://coder.today
There are many needs to contact you, from legal reasons to subscriptions, payments, notifications even data breaches alerts. If you have a customer you need to have its contact details.
Its common sense and most of the time a legal obligation.
I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
If you have legal obligations to keep or really need it for contact purposes then yes you would need to keep it in plain text.
Bu if you only need it for login purposes or to send notifications while the user is logged in then you can store the emails as an hash in the database.
If you can login into my email account then you can, otherwise you can't.
When I said that would work as usual I am referring to the normal process of recovering a password where an email is sent to your email account with a unique link that normally also as a short expiration time.
True but you realize that still FB is more secure then any custom login system a small company can create.
I always choose oauth when possible, not FB of course but google, github, or based on auth0.
I would not trust a sensitive app with their custom login ... Especially without a 2auth factor.
Yes, but we have to consider a few things:
I'm also not saying that OAuth shouldn't be used, I'm saying that maybe using only OAuth is not a great idea. Depends on the case, you have to balance the attack surface with the user experience. I think websites should have both custom and OAuth login.
A website that only knows my email and encrypts my password could not be a huge deal if broken into. A website that knows everything about its users IS a huge deal if broken into.
Facebook should make SMS-less 2FA mandatory, for example.
I don't see a need for websites to keep your email or username in clear text... I prefer to store them hashed, just like we do with passwords.
This way a compromised database with username, email and password is not that useful to an hacker regarding this specific hashed data.
So how do you propose to reset your password? or how would they contact you?
No need to contact me, they just need to provide the email and everything will work as usual.
When they provide the email it is hashed as if it was to store in the database and then you try to find that hash in the database and on success you send an password recovery email.
The only limitation here is the user cannot recover the password by using only the username, it must provide always the email.
There are many needs to contact you, from legal reasons to subscriptions, payments, notifications even data breaches alerts. If you have a customer you need to have its contact details.
Its common sense and most of the time a legal obligation.
So I can login into your account anytime because I know your email?
@BG Adrian
If you have legal obligations to keep or really need it for contact purposes then yes you would need to keep it in plain text.
Bu if you only need it for login purposes or to send notifications while the user is logged in then you can store the emails as an hash in the database.
@rhymes
If you can login into my email account then you can, otherwise you can't.
When I said that would work as usual I am referring to the normal process of recovering a password where an email is sent to your email account with a unique link that normally also as a short expiration time.
Ok sorry, I misunderstood,I was thinking of passwordless logins.