DEV Community

Cover image for Security: "Over 83% of Developers Commit this Critical Mistake when storing User's Password." Are You One of Them?"

Security: "Over 83% of Developers Commit this Critical Mistake when storing User's Password." Are You One of Them?"

danielAsaboro on July 09, 2023

Throughout my years of tweaking, designing, and engineering software systems, I've come to realize a fundamental truth: there are no perfect system...
Collapse
 
ayobami profile image
David

Thank you for the article,
I have a question, when you use a 3rd party service like Google, do you still store/create the user in your database. I guess I want to better understand the flow for signup and login authentication when you use a 3rd party auth service. Thanks.

Collapse
 
danielasaboro profile image
danielAsaboro • Edited

Yes, you do, David.

The only difference is you don't have to store their password. Google/whoever will do the authentication part and give you a unique id for that particular user which you can store if they don't exist in your db or simply sign them in if they do.

I suggest looking into PassportJs or AuthJs (as I've also learnt from the discussion here). Feel free to reach out to me directly if you need any help or guidance.

Collapse
 
ayobami profile image
David

Oh, that is true I will try it out. I am actually using next-auth.

Thank you very much that is very kind of you, I will actually be taking you up on your offer, because I am kind of tackling this issue at the moment with a personal project and I want to have better understanding of auth process.

I also researched and saw access token and refresh token as means to having better security, what is your perspective on this?
Thanks.

Thread Thread
 
danielasaboro profile image
danielAsaboro

This is also my my first time hearing about next-auth...we are really blessed to have so many options as developers.

Acess Token and refreshtoken aren't that difficult terms. in simpler terms, accesstoken is the key you give to users to enter a gated place on your site after validating that they are who they are(authentication).

Refresh token just makes the process of issuing Acess Token seamless for the user so they don't have to reenter their details everytime their accesstoken expires

reach out through: @AsaboroD on twitter; we can take it up from there ;)

Thread Thread
 
ayobami profile image
David • Edited

I can't send u message directly but I sent hello as a tweet.

Collapse
 
gyurmatag profile image
György Márk Varga

Nice article! What about when using Auth.js?

Collapse
 
danielasaboro profile image
danielAsaboro

No, I don't. In fact, this is my first time of hearing about it.

Also, correct me if I'm wrong...AuthJs is a library? if so...I use PassportJs, haven't got any reason to search for alternatives yet...However, Auth Js seems like an interesting library(simple to implement
at first sight)

Collapse
 
gyurmatag profile image
György Márk Varga

Yes, It is simple. Best for using on Next.js full stack projects.

Thread Thread
 
danielasaboro profile image
danielAsaboro

Yeah, I read that too...

I probably need a project that will force me to look into Next.js (an hackathon maybe), what do you suggest, Varga?

Thread Thread
 
gyurmatag profile image
György Márk Varga

Maybe have a look at my latest article if you want to get deeper inside Vercel and the Next.js ecosystem. HERE you can find it.

Collapse
 
manchicken profile image
Mike Stemle

I like a lot of the points in this article. I think I’ve decided that I’m never going to write a password system again. Auth0, cognito, Okta, and various OAuth identity providers make it so that storing user passwords is no longer necessary.

I avoid storing user passwords like the plague.

Collapse
 
danielasaboro profile image
danielAsaboro

Thanks for pointing that out, Michael...that means a lot to me.

I'm also with you on the identity providers thing. Once you start integrating Oauth and the rest, you never want to go back...even for the end users...but some situations, one I found myself a few months ago still require going the old way....it is what it is.

software is about democraticizing acess.

Collapse
 
danielasaboro profile image
danielAsaboro

It's my default choice, but there are cases where people are sceptical to connect their social accounts with your app...(when working on apps used my old folks) this is where an email and password comes in :)

tough work, but it's a must

Collapse
 
arosebine profile image
Arowolo Ebine

Thanks you so much. You have really enlightened me about this. Am really grateful for this.

Collapse
 
danielasaboro profile image
danielAsaboro

You are welcome, Ebine. It's a pleasure to do so.

Collapse
 
jonrandy profile image
Jon Randy 🎖️

Security: "Over 83% of Developers Commit this Critical Mistake when storing User's Password." Are You One of Them?"

Storing the user's password IS a critical mistake.

Collapse
 
danielasaboro profile image
danielAsaboro

There are cases where it's unavoidable