Sorry, yes it is. I’d really prefer it if software developers would take this more seriously. Managing user credentials is a high risk burden that you should avoid if possible.
Comment on Why?
ChromaticMan@lemmy.world 1 day agoNo it’s not.
bangupjobasusual@lemmy.world 1 day ago
limer@lemmy.ml 15 hours ago
There are open source solutions to handle this effectively, which can be used in most projects; I would change the advice you gave to “ do not roll your own email verification, ever”
bangupjobasusual@lemmy.world 12 hours ago
I wouldn’t change my advice. Even if you go Argon2id, you still have a creds database to protect. If you let that go it’s just a matter of time before it’s useful.
You could go webauthn, but now we are back to passkey or windows hello or whatever. Which is what I told op, they invented passkey, and it’s Still third party reliance.
Source: I’ve been a software architect for 25 years.
limer@lemmy.ml 12 hours ago
If one cannot protect their database, then there is a lot of other issues going on besides how one authenticates.
Over the years , I’ve read about some security issues with different social logins, and a few of them have been serious. One never knows when the next vulnerability is.
At the end of the day, everything has a vulnerability, and the best way to mitigate against that is best practices, and keeping up with news. That, and a bit of luck.
I have created my own login systems multiple times, and probably violated over a hundred best practices. I don’t know what a best login system looks like, but I have enough experience to find flaws with all of them now. And I am not confident in anything I use. Even if I only use battle tested systems made by large groups of peoples
whoisearth@lemmy.ca 1 day ago
securely