DEV Community

Discussion on: Facebook, Google or Github - which OAuth for your site?

Collapse
 
xtrasmal profile image
Xander • Edited
  • "you need to provide password-restore system"

Password restore system is also not that hard.
If you need to do this and are not allowed to store someones email address, for example when it is not possible to ask the user if this is okay, then you could add something like the Google Authenticator or Last Pass authenticator and add a One-time password as a recovery means.

  • "protect from abuse"

Captcha has been improved and is called re-captcha and is also fairly simple to include. That and login throttling can solve most of your problems. This problem has been solved many times and there are many resources on how to do this.

  • "take care of protecting hashes"

Protecting password hashes OR protecting anything in general is always a problem, BUT if you have trouble grasping how to protect sensitive data, then you probably should not be implementing anything on your own. Protecting hashes, in my opinion, could be done in a well protected database. And even if they get the database, make sure you have used BCRYPT or ARGON2 as a hasher, so that it becomes expensive to steal them.
Security is risk assessment. If you are a small fish, do not expect people to spend millions to hack you. So for every problem, asses it to understand how your infrastructure should be laid out to secure the data.

  • "should not store anything related"

If you ask for consent and be transparent about what you store, for what reason.. then you will comply. Do not store more than you need. Keep the footprint low. If you would only store an email-address for account recovery or contact information, then it should be fine. As long as you tell them what you are storing.

Thread Thread
 
rodiongork profile image
Rodion Gorkovenko

Password restore system is also not that hard.

Well, I don't mean it is very hard. But as usually, not doing this at
all is easier. That is my point :)

If you ask for consent and be transparent about what you store, for what reason.. then you will comply. Do not store more than you need.

Note that by GDPR, I think, this probably should be stored on servers in the same region where user resides. That may be painful. Though workaround is to store only hash of email and then ask for user to enter it (and compare hash) when user wants password reminder...