DEV Community

Discussion on: How to Process Passwords as a Software Developer

Collapse
 
failedchecksum profile image
FailedChecksum • Edited

I would go so far as to strongly recommend against engineers implementing the password hashing routine for themselves. That requires some additional knowledge like how many rounds to use, memory optimization and how to avoid edge cases that open you to attacks (e.g. Argon2i with 1-2 passes, bcrypt as mentioned). While they should understand the principles it's best to rely one of the many robust, tested, peer-reviewed libraries that exist for most platforms.

re: TLS
Thankfully as of 2020, the browser-based internet effectively won't function on anything less than 1.2. It's about damn time :) Doesn't protect headless clients, but it's a step in the right direction.

Collapse
 
nathilia_pierce profile image
Nathilia Pierce

Agreed, developer shouldn't even be doing the password hashing. I entirely forgot about the 1-2 passes issue with Argon2i, thanks for reminding me. And yes, it's about time we get TLS 1.2 and newer pushed to everybody.

To mitigate the attack there needs to be 3 or more passes with 10 or more passes over memory.

And again, too complicated for your average web developer who barely do any math in their day-to-day job who've got deadlines to meet. :)

I'm trying to find more edge cases, but no avail. Although I've already done massive amounts of research, trying to put together a post with everything about passwords and all the edge cases that come with is a little difficult. There is definitely a long list of issues and practices to avoid.