The best advice for storing passwords is to not store passwords

The first time I did the DMV written test I failed it by 2 points. One of the questions I got wrong was: “What is the best advice for driving under heavy fog?”, the correct answer was “Not to drive”. I disliked that because logically, you are already driving.

Not storing passwords

I ran into many issues when I first started to work on adding username/passwords: should I have a separate database? How should I encrypt the passwords? How am I going to enforce authorization? Security is very important and should not be taken lightly, so after a few false starts, I landed on Auth0.

Auth vs Auth

Before I continue, I want to talk about Authentication vs Authorization: Authentication is the process of identifying the user; Authorization is allowing that user access to what he or she is requesting.

If a person knocks on my door, the first thing I want to know is who it is (Authentication), let’s say it’s my friend Steve. Then, I have to decide if he can come in (Authorization), but since I’m mad at Steve because he cheated on a game of Monopoly, I won’t authorize him to come in.

Authentication and Authorization Services

Any authentication and authorization service will be more secure than what a single developer can code. These services handle sign in and sign up for an application; this means that once I set up Poller with Auth0, I don’t have to worry about passwords because I don’t store at all. Now, I can focus on setting up the right permissions and access to a user.

Everything is based on JSON Web Tokens, JWT (pronounced “Jot”) with an expiration date. This token is generated by Auth0 using a security key and will only return to the specified URL, where it saves it locally, and if the token hasn’t expired, the user is logged in. Simple as that. Then, to make everything secure, the JWT is also checked when calling the API, if the token is tampered with or has expired, the API returns with “Not Authorized”.

There are many other advantages to using an Auth Service that I didn’t mention: easy user management (reset the password, block them, verify email), a configurable sign in/sign up page, all those “sign in with Google/Facebook/Microsoft” buttons, and many more thing under the hood.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *