Username/password validation should happen entirely server-side, with as little information as possible provided to the client
Yyyup. This is why you also why it’s good practice to respond with HTTP 404 if a public user has tried to access user data they shouldn’t have access to, whether it exists or not. Don’t give them the hint that they hit a path that has forbidden data.
You are making an unfounded assumption that the password is sent to the client which does the check and then shows the message rather than the server doing the check and responding with the message back to the client.
Nah I’m not, look above. There’s a way to do this that isn’t terrible. I just kinda assume that they aren’t doing it properly because I’ve worked in software for decades.
No one is reimplementing their hashing algorithm in JavaScript. Doesn’t matter how many decades in the industry you have, that’s a silly assumption.
The parts of security here that involve best practices are invisible to the user. Things such as salting which many do not do but also how they handle the reset token which many do not think about.
However, none of that makes a good meme for people cosplaying cyber security gurus.
Of course they wouldn’t implement it themselves, that’s what the wonderful world of npm is for. /s
The software I’ve worked in is full of bizarre, dangerous junk. I used to assume that people did things at least the easier way if not the right way. Now, I expect them to do the dumbest, wrongest most esoteric thing possible and I’m often right.
anecdote
I once worked with a person that was essentially maintaining a series of statically compiled hashmaps by hand instead of, you know, doing the obvious and externalizing the fucking thing into a database table. The insane bastard even sat there incrementing the initial collection sizes when he got requests to add in new data.
That would be an extremely bad idea tho, because it would allow a malicious attacker to
Username/password validation should happen entirely server-side, with as little information as possible provided to the client
Yyyup. This is why you also why it’s good practice to respond with HTTP 404 if a public user has tried to access user data they shouldn’t have access to, whether it exists or not. Don’t give them the hint that they hit a path that has forbidden data.
💯
It’s recommended practice to not even tell them which half of the username/password combination failed upon authentication failures.
It is a password reset from. The username has already be confirmed in a previous step
That still doesn’t make it good practice to send the old password (hashed or not) to the client.
You are making an unfounded assumption that the password is sent to the client which does the check and then shows the message rather than the server doing the check and responding with the message back to the client.
Nah I’m not, look above. There’s a way to do this that isn’t terrible. I just kinda assume that they aren’t doing it properly because I’ve worked in software for decades.
No one is reimplementing their hashing algorithm in JavaScript. Doesn’t matter how many decades in the industry you have, that’s a silly assumption.
The parts of security here that involve best practices are invisible to the user. Things such as salting which many do not do but also how they handle the reset token which many do not think about.
However, none of that makes a good meme for people cosplaying cyber security gurus.
Of course they wouldn’t implement it themselves, that’s what the wonderful world of npm is for. /s
The software I’ve worked in is full of bizarre, dangerous junk. I used to assume that people did things at least the easier way if not the right way. Now, I expect them to do the dumbest, wrongest most esoteric thing possible and I’m often right.
anecdote
I once worked with a person that was essentially maintaining a series of statically compiled hashmaps by hand instead of, you know, doing the obvious and externalizing the fucking thing into a database table. The insane bastard even sat there incrementing the initial collection sizes when he got requests to add in new data.
You would assume that, but you would be very wrong. People are lazier/sloppier than you might think.
Searching for “client side authentication NVD” turns up a lot of examples. There is even a CWE for "Use of Client-Side Authentication:
https://cwe.mitre.org/data/definitions/603.html
People are forgetting this is a password reset form, not the login form.