loading...

Maker Story: Password Reset Flow after 5 months

Stefan Wuthrich on June 23, 2019

Hi I'm Stefan, Maker of Full-Stack Developer Job and Resume Board. I started my project on February 19. You can read a bit more about here All sta... [Read Full]
markdown guide
 

Sounds familiar. Also working on a service and the reset password flow is actually the last thing to do before putting it live. In my experience it's not really necessary during a beta/alpha period with a few users, as you just want to test out the features your service is about 👍

 
 

"I set him a new one manually"

If I read that, I always am afraid that security is breached by not hashing and salting the passwords, please tell me you do that though. Additionally, while I agree it offers more flexibility by using no framework, you do sacrifice the built-in security components in frameworks such as CSRF and session hijacking. Even when you use a framework, you do have to be wary about security. For instance, a lot of frameworks do not throttle requests which could result in brute force attacks and such.

I really like to work with security concepts, so that is why this comment is so security oriented.

 

Thanks for your comment Wesley.
Well, my post or way of doing this kind of project is not about sacrificing security needs. I would say, that having a PW Reset Flow does not mean, that things are more secure, with or without a framework. Of course, always having in mind, that eg saving a PW need some hashing and salting, as you 100% correclty said. Don't worry, I never would save a PW without that, manually or implemented. :-)

 
code of conduct - report abuse