Reading-Notes

Readings

Securing Passwords

Explain to a non-technical friend how you would safely hash and store a password.

Hashing: Hashing is a process that takes a password and converts it into a unique string of characters called a hash. It’s a one-way process, meaning that it’s computationally difficult to reverse the hash and obtain the original password. To hash a password, we use a special mathematical algorithm.

Salting: To make the hashed password even more secure, we use a technique called salting. A salt is a random string of characters that we add to the password before hashing it. The salt is unique for each user and adds an extra layer of security. Salting prevents attackers from using precomputed tables (known as rainbow tables) to reverse-engineer the password.

Secure storage: Once the password is hashed and salted, we need to store it securely. Storing passwords in plain text is a big no-no because if someone gains unauthorized access to the storage system, they would have access to all the passwords. Instead, we store only the hashed password and salt. We never store the actual password itself.

Encryption: In addition to hashing and salting, we can further enhance security by encrypting the stored passwords. Encryption uses an algorithm and a secret key to convert the data into an unreadable format. Even if an attacker somehow gains access to the stored hashed passwords, they would still need the decryption key to read the passwords.

https://chat.openai.com/

What is Bcrypt?

Bcrypt is an adaptive hash function based on the Blowfish symmetric block cipher cryptographic algorithm and introduces a work factor (also known as security factor), which allows you to determine how expensive the hash function will be. https://thehackernews.com/2014/04/securing-passwords-with-bcrypt-hashing.html

Why might you use something like Bcrypt?

1. password security
2. adaptive hashing
3. salt inclusion
4. long password support
5. vetted security

Basic Auth

What is Basic Authentication?

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request. https://en.wikipedia.org/wiki/Basic_access_authentication

What properties are necessary in the header of a Basic Auth request?

In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic , where credentials is the Base64 encoding of ID and password joined by a single colon :.

How are username:password in Basic Auth encoded?

Base64

OWASP auth cheatsheet

Define the authentication process to a non-technical recruiter.

When authenticating a user or entity we are simpy trying to double check that someone is who they say they are. Just like when a police officer checks someone’s id, they want to confirm the person in the photo is the person who hands them the card.

• Step one would be identification, who is the person trying to gain access? Username or email address? Something unique that would be associated with the account.
• Next step would be asking said user to submit some credentials so we can prove it actually is them.
• Obviously then we have to make sure those credentials align, so we need to verify.
• Does the information align? Are we allowing or denying access?
• If truthy a session is allowed. This is to be able to tack activity within the system but also allow the user access without having to re-authentic repeatedly.

How should your error messaging respond (both HTTP and HTML)? Why?

• HTTP has traditional built out error codes (eg 200, 400, 401, 404, 500, ect.) When they are called it is a good idea to provide details to the user to let them know WHY they are seeing the code; BUT not so much information that it may expose a sensitivity that could be capitolized on by nerdowellers.
• HTML error codes try to be as user friendly as possible. We want to be clear and concise, steer away from tech talk. Give guidance, maybe there is a way to resolve the issue? Provide navigation options, maybe they should return to the previous page or try the homepage. Hopefully there are tracking devices set into place that can record the error, relevant information, time stamp, user details if possible.

Bookmark this link also and consider OWASP fundamentals any time you interact with authentication. Applications developed with security in mind from inception have fewer vulnerabilities throughout their lifecycle.

Looking ahead at this module’s course schedule, What do you look forward to learning?

bearer tokens

What are your learning goals after reading and reviewing the class README?

How to properly protect users.

This site is open source. Improve this page.