Your users do not need passwords.
Often, one of the first architectural decisions taken at the beginning of the development of your site will be using email + password to authorize the user. This bunch is firmly stuck in our heads, and we are already thinking about why we force people to invent a password. We used to do that.
But let's think, maybe your users do not need passwords.
One possible solution is to use OAuth 2.0 , but not all users can have a social network account and a desire to use it on your resource.
But how, then, get rid of the password? I will try to answer this question in the article.
What's the problem?
The only secure password is one that you cannot remember .
Troy hunt
The password itself is already a problem. It is not profitable, neither you nor your users.
For the site owner, the password is not beneficial because storing it creates an additional vulnerability in the system. No matter how powerful your hashing algorithm is (and God forbid you not to use it), sooner or later it will become a trifle for new GPUs, and later also CPU. And if your database leaks into the network, it will deal a huge blow to you and your visitors. Without passwords, the base becomes at times less tasty prey.
For visitors to your site, the password is an additional difficulty. Inexperienced users will once again use their "regular" password, increasing the risk of losing it. And advanced users will be forced to come up with a special password for your site or use a password manager.
By itself, the phenomenon of password managers, this is a crutch, which should show us all the lack of relevance and inefficiency of the widespread use of passwords.
In addition, you can additionally poison the lives of your users, forcing them to periodically change them, or prohibit / force the use of special characters.
How to be?
The answer is not to use passwords. You only need to know the user's email.
When registering on the site, you are somehow tied to user mail. You send letters to her confirming that the user is the owner of the account; You use it to reset your password.
Password reset already sounds like an oxymoron. After all, in order to set a new password, you only need to receive an email. Everything. So why did you force the user to invent a password, change it and use only the characters you like?
After all, in order to authorize a user, you just need to send him an email with a generated link, just like when you confirm your account. This is enough to authorize the user.
Yes, and modern email services are at times more secure and prepared for attacks than a regular site with cats. Entrust storage and password protection to professionals.
Decision
Consider an example of a simple site with PostgreSQL as a database.
Two tables will be enough for us (with the minimum set of fields):
users :
| Field name | Data type | Attributes |
|---|---|---|
| id | serial | PRIMARY KEY |
varchar(320) | UNIQUE |
sign_in_requests:
| id | serial | PRIMARY KEY |
varchar(320) | ||
| token | uuid | UNIQUE |
| request_ip | varchar(45) | |
| activated_at | timestamp | NULLABLE |
| expired_at | timestamp |
:
- sign_in_requests ( ) "Sign Up" , .. .
- , sign_in_requests , email .
- token uuid', , . .
- request_ip — , rate limit', .
:
- email .
- sign_in_request, :
https://example.com/signin/callback/email/{{token}}. - , token'.
- , , , email ( Brute Force), , .
activated_at=now(), .- , -, , cookie / JWT / etc.
, , 10 .
?
:
- , / / .
- , .
- , , : / .
:
- email .
- — / Smart TV / IoT. , , .
, , , , .
: https://pixabay.com/en/padlock-grunge-rusty-rusting-76866/
')
Source: https://habr.com/ru/post/341164/
All Articles