DEV Community

Cover image for Should You Use Password Authentication?
MxL Devs
MxL Devs

Posted on

Should You Use Password Authentication?

Today I wanted to sign into a service that I haven't used for awhile, but I forgot my password. So I hit "Forgot Password?", entered my username, and then it sent a password reset link to my email. Fortunately I still remember the password to my email.

I opened up my email, pressed the link, and it directed me to a password reset form where I entered my new password that required at least 8 characters including one uppercase, one lowercase, one numeric, and one special character like $*@&!,

Spoiler alert, I'm not going to remember that password next time either. Chrome asked me if I wanted to store the password, and I said no. I'll deal with password reset again next time.

So this got me thinking about the age-old problem of security: authentication.

What is Authentication

There's already a lot of material out there. I would recommend reading this wikipedia article about it because it's a fantastic start and goes through all sorts of topics.

Basically it's to prove you are who you claim to be. If you walked up to the bank and said you're _______ and wanted to withdraw suspicious amounts of cash from your account, what's stopping the bank from just taking your word?

There are many different strategies involved, and security researchers have come up with three factors that go into the process

  • what you know (knowledge)
  • what you have (ownership)
  • what you are (inherence)

Authentication in Action

So for example today I went to order a Venti Javachip Frappucino from Starbucks. No sponsorship, I'm just a fan, even if it's loaded with sugar.

When it came time to pay, I used my chip-enabled credit card where I entered a PIN to approve the transaction.

This is a simple example of authentication: I have a credit card that's tied to my bank account and only I should know the PIN code for the card.

Of course then they introduced tap-to-pay and suddenly that PIN code just goes out the window for most people if they don't disable it.

Convenience truly is the bane of security.

Why Authentication Matters

It's pretty simple: we all have things that should be private. A bank account, an email account, your computer, your home even. I still use ancient-tech metal lock-and-key which can be easily picked, while some people use like digital keypads (just another password) or more sophisticated things like finger-print scanners, or voice- and facial-recognition systems. Open sesame?

Why Passwords?

You'd think with advancement in technology we'd be able to move on from passwords, but probably 99% of the systems out there still use basic password authentication, whether it's a string you type in to unlock your computer, or that lockpad pattern on your phone.

Personally I don't like passwords at all.

  • You'll probably write it down somewhere, because who's going to remember all these dumb uppercase lowercase numbers and special characters

  • You'll probably re-use them, so if someone gets it somehow, all of your accounts can be compromised

  • You'll probably share it with someone else, who you then have to trust to keep it secret

And especially as a developer, suddenly the stakes are really high: I just want you to be able to have private access to your account; I don't want to have to figure out how to keep your secrets from being leaked.

Alternative to Passwords

Fortunately, the internet has evolved and there are various tools at our disposal. Passwordless authentication had been quite popular and is used in a lot of different services now. SSH keys are a common example that devs probably are familiar with. Then you have fingerprint unlock for your apps which my banking apps offer and are quite convenient.

But outside the technical stuff, you might have come across some passwordless services yourself already like when you "log in with facebook" or "log in with google" and don't need to remember additional passwords. Basically outsource the security to billion dollar companies that probably have more people making sure those secrets will be kept well.

There's a library called passportJS for NodeJS that basically let's you implement authentication with about 500 different strategies easily and I'm sure various frameworks also have similar libraries. If not, might be something you can build :)

But is Passwordless Good Enough?

It's pretty nice to be able to use your google account to authenticate into dozens of services, but what happens if your google account gets compromised? Now all of your services that use that google account are also compromised.

However, that's a risk that the end-user takes on, and not something you - the developer or the business owner - needs to necessarily worry about. Even if hackers find exploits in your system and dump your database, the extent of damage is probably going to be limited to whatever information your users give you, which won't include their passwords that they might be re-using in a bunch of other services!

Personally I would recommend looking into passwordless authentication options and not having to worry about dealing with anyone's passwords or secret questions/answers and so on because it's just less legal stress to worry about and much less technical effort on your part.

Sure, sometimes it might be convenient for me to create a throwaway user account without having to bind one of my throwaway email addresses to it, but maybe this is also a good thing.

But I still want passwords!

(added 2020-07-14)

There are cases where you may choose to offer the option to allowing users to authenticate with a simple password, for example if they don't have access to alternative authentication methods that you've provided.

In this case, the user is trusting you with their password, so you'll have to make sure that you keep it secure! It would be good to read about and follow good password storage practices like hashing and salting the passwords and storing the result in the database. You should never have access to the user's password because that's something you don't, and shouldn't, need to know.

Feedback

Let me know your thoughts about user authentication and security. I don't have a security background so my understanding is quite limited to high-level concepts. Maybe passwordless is also not that great? Are there other forms of authentication that you use, or read about, or have thought about?

Top comments (6)

Collapse
 
tomfern profile image
Tomas Fernandez • Edited

The problem with google and facebook authentication is that not everyone has google or facebook, or twitter or linkedin for that matter. What to do with them?

As a user, I use Google or GitHub when possible, for everything else, a password manager solves all my password needs. I only need to remember one password (the master lock). I let the manager generate random passwords for all my accounts.

Collapse
 
mxldevs profile image
MxL Devs

It could be a problem. Most services I come across that offer 3rd party authenticators offer google + facebook + twitter as options on top of standard password option. So in the case of a database hack, only the ones that decided to opt for password would be affected.

Or it might even be intentional. A lot of chinese sites for example require a valid chinese phone number to register, which effectively bars non-chinese residents from registering.

Collapse
 
tomfern profile image
Tomas Fernandez

Yes, you're right. Also, there's a lot of reasons people might not want their Google/Facebook accounts linked to a website. Privacy for instance.

As long as you take some security measures when storing the password, hackers won't be able to guess the password even if they get their hands on the database.

Thread Thread
 
mxldevs profile image
MxL Devs

Practicing proper password storage I think should be good enough. Simple hashing/salting and storing and comparing the results kind of thing.

For me there's always the concern that what if the service doesn't practice good security on their end. Unless security audits are required, we probably won't know until we find our personal information on some pastebin. Might be safer to just minimize the number of passwords that need to be stored.

Collapse
 
mxldevs profile image
MxL Devs

Interesting. When does the public key come into play? Would users require technical knowledge to set it up?

Also what happens if I forget my password but I've also disabled email reset

Collapse
 
zilti_500 profile image
Daniel Ziltener

Or, you know, just use a simple password manager like KeePass XC...