Sorry, yes it is. I’d really prefer it if software developers would take this more seriously. Managing user credentials is a high risk burden that you should avoid if possible.
There are open source solutions to handle this effectively, which can be used in most projects; I would change the advice you gave to “ do not roll your own email verification, ever”
I wouldn’t change my advice. Even if you go Argon2id, you still have a creds database to protect. If you let that go it’s just a matter of time before it’s useful.
You could go webauthn, but now we are back to passkey or windows hello or whatever. Which is what I told op, they invented passkey, and it’s Still third party reliance.
Source: I’ve been a software architect for 25 years.
If one cannot protect their database, then there is a lot of other issues going on besides how one authenticates.
Over the years , I’ve read about some security issues with different social logins, and a few of them have been serious. One never knows when the next vulnerability is.
At the end of the day, everything has a vulnerability, and the best way to mitigate against that is best practices, and keeping up with news. That, and a bit of luck.
I have created my own login systems multiple times, and probably violated over a hundred best practices. I don’t know what a best login system looks like, but I have enough experience to find flaws with all of them now. And I am not confident in anything I use. Even if I only use battle tested systems made by large groups of peoples
This is precisely why you should really consider leaning into oauth, your users don’t want another unique password to manage, so guess what, when your creds database gets leaked, it’s not just your site that’s getting screwed.
Look, with new ai tools, security is a very scary place to live. I wouldn’t blow this off. Let the companies that invest millions in it manage this piece for you.
Sorry, yes it is. I’d really prefer it if software developers would take this more seriously. Managing user credentials is a high risk burden that you should avoid if possible.
There are open source solutions to handle this effectively, which can be used in most projects; I would change the advice you gave to “ do not roll your own email verification, ever”
I wouldn’t change my advice. Even if you go Argon2id, you still have a creds database to protect. If you let that go it’s just a matter of time before it’s useful.
You could go webauthn, but now we are back to passkey or windows hello or whatever. Which is what I told op, they invented passkey, and it’s Still third party reliance.
Source: I’ve been a software architect for 25 years.
If one cannot protect their database, then there is a lot of other issues going on besides how one authenticates.
Over the years , I’ve read about some security issues with different social logins, and a few of them have been serious. One never knows when the next vulnerability is.
At the end of the day, everything has a vulnerability, and the best way to mitigate against that is best practices, and keeping up with news. That, and a bit of luck.
I have created my own login systems multiple times, and probably violated over a hundred best practices. I don’t know what a best login system looks like, but I have enough experience to find flaws with all of them now. And I am not confident in anything I use. Even if I only use battle tested systems made by large groups of peoples
This is precisely why you should really consider leaning into oauth, your users don’t want another unique password to manage, so guess what, when your creds database gets leaked, it’s not just your site that’s getting screwed.
Look, with new ai tools, security is a very scary place to live. I wouldn’t blow this off. Let the companies that invest millions in it manage this piece for you.