If You Can, Avoid Saving User Passwords
About 20 years ago, I predicted that JavaScript would fail, as it was such as poor programming language (and not really Java), and that it would struggle with updates. How wrong was I? It is now often the go-to language for the front end, and with Node.js, it now powers many back-end infrastructures. So let’s do a bit of JavaScript and federated login. And for those who study Cybersecurity, I cannot recommend highly enough, to study JavaScript and its integration into RESTful Web services, and many Web sites can be broken with a bit of experience in understanding how JavaScript integrates into a page, and in how OAuth 2.0 is used to pass rights tokens.
With the rising number of data breaches, we need to build systems which do not store passwords. Even storing a hashed version of the password is not secure, especially has Hashcat could be running at over 1 Tera Hashes per second (1,000,000,000,000 Hashes per second). One method is to use a federated approach, and where we ask the user to log into a trusted federated service, and then examine the token that is returned. A great advantage of this is that the user just selects the identity provider that they trust, and can manage their password with that provider.
So let’s look at any integration into my Web site:
