DEV Community

loading...

Discussion on: Pushing Left, Like a Boss! -- Part 2: Security Requirements

shehackspurple profile image
Tanya Janca Author

I suppose if the software developers implementing the HaveIBeenOwned service don't understand the security behind it, and how the passwords are compared, I do see that they may be reluctant to use the service. There are also paid services that can do this for you, I believe that 1Password offers such a service. Maybe using a paid service would seem more secure and "legit" than using an open source and free service? This is a good point.

Thread Thread
tarialfaro profile image
Tari R. Alfaro

I guess when you're signing up or changing your password/passphrase you could have a little check box saying "Check if your password/passphrase is compromised." that defaults to off.

And of course a information link that first explains to a average user, then more technical details if they're smart enough to understand it.

It seems like a good balance to me. I feel like a lot of people would want to check that box when registering an account. Perhaps that's just me.

Of course this is experimental, which would require research. None of all the services I have seen on the internet implement this.

But I think it would be a good balance.

Thread Thread
shehackspurple profile image
Tanya Janca Author

Hi,

We (you developer, me security person) need to make a lot of decisions on behalf of our users. Just like a car designer makes many decisions for me that I do not understand, we (software builders) need to make decisions for the users of the software that we create. No users will understand if we give them this choice. It's too much; only professionals would understand, and that's no fair to the average user, who make choose incorrectly. The same would be true if my car manufacturer offered me airbag X or airbag Y, and listed all the reasons to choose one or the other. It would be a waste of time because I'm not a professional car designer/do not have the knowledge to fully understand. Does this make sense? Offering them this choice would just be confusing, not helpful, to any regular (non-IT professional) user visiting a website.

Many services on the internet check for breached passwords all the time, Facebook does it and many, many more. They are doing this to protect their users from a vulnerability called "Credential stuffing", which means attackers using stolen credentials on sites and then stealing or harming the victims. It's happening quite a lot and it's extremely damaging, because many users reuse the same password on many different platforms. Many websites, that we all use, are currently doing this. None of them ask for the user's consent, because they are not sending the password or personal information, it's part of a hash, which is not recognizable to the original password.

If you want to know more about how the partial password hash is passed for the haveibeenpwned.com API, you can read the spec here: haveibeenpwned.com/API/v2

I hope this helps?

Thread Thread
tarialfaro profile image
Tari R. Alfaro

Hmm, you're right. I guess we shouldn't be giving users any choices that could potentially allow them to shoot themselves in the foot.

It's really hard being into security and trying to develop solutions for people who don't understand.

Because you have to think and feel like a end-user, when you're really not.

Thread Thread
shehackspurple profile image
Tanya Janca Author

I hear you! I'm a big advocate for usable security features, which means testing with real-live users, not putting someone like me as a tester (because I'm inherently biased, being a security professional).

I am hoping that as the years continue the security industry works harder to make every aspect of security easier and better for the consumer, with the goal of one day having the easiest way to do something will also always be the most-secure way to do it. This is my dream!

I also want to make security easier for Devs. Because right now it is Way. Too. Hard.

Thread Thread
tarialfaro profile image
Tari R. Alfaro

Yeah, it is really hard. I think systems should be designed with security from the start. Like you pointed out in your first article. I really wished the ActivityPub protocol was designed with cryptography implemented, but ... of course. It wasn't. And now we have a standardized social network protocol without confidentiality, and authenticated integrity.. which should've been baked in.

Yep. We are biased.

Things are getting better, slowly. We do have Libsodium for cryptography. Still, even then it can be confusing to those who don't understand.

But there isn't really a way to automatically implement secure code with cryptography built into the heart of it.

Only recently I've started thinking about security for the average user. Obviously still having a hard time ...

Thread Thread
shehackspurple profile image
Tanya Janca Author

This Twitter post might interest you, about notifying users:
twitter.com/stebets/status/1017366...