Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Posted August 26, 2017 4:01am by

Security questions about login

I'm building my own login app, and I'm facing some security issues

1) If the site is like a educational/forum site without taking any personal information (we only takes the email, password, username, and their website URL), do we need to use OV/EV SSL or DV SSL is enough if we're not taking important personal information??

2) What kind of hash should I use when hashing users' password, and as or functionality and info we take provided above do we need to add salt or since it's just a forum we don't really need to add custom salt??

3) Should we use login proccess that others makes or the login proccess build by ourself is fine?

// we actually only need to verify username and it's password

//like the following code

// variable user is a object of users' username and password


var user = { john:{pwd:"123123"}};
if (user[username] && user[username].pwd == requestpassword) {
console.log("logged in");
}

1 Answer

August 26, 2017 1:59pm

Hi, I got your request.

I'm not sure I'd consider email to not be "personal information", but it's certainly not as sensitive as a credit card number. So far non-sensitive low-volume traffic a DV certificate would probably be adequate.

Salt is such a common part of password encryption algorithms, I would probably just use it automatically. But it's value only applies to situations where someone has gotten access to your database. So if you feel your database is secure, and since the risk of a breach is apparently nothing more than forged or deleted blog posts, then it's probably not absolutely necessary.

And I don't see any advantage of using someone else's code over your own unless one has features you want and the other does not (and assuming you trust the 3rd party code)

Now the example code shows a password being stored and compared in unencrypted form, which is not a good idea.

August 26, 2017 2:07pm

Thanks, I'll make sure I hash the password but I still have some question

1) What method is recommend for hashing?

2) What do you mean automatically in the salt part?

August 26, 2017 2:53pm

New algorithms come out frequently, I think the currently the "best" one is Argon2. But bcrypt, which has been around for quite a while, is still a reasonably good choice.

By "automatically" I mean I would just incorporate salt in the design without really giving it much thought. It seems like "standard practice" to me to always include salt if you're encrypting passwords. But that does mean extra storage. An alternative to a generated random salt would be to use some other field already stored, such as the user's email, as the salt.

August 26, 2017 2:54pm

So will there be a big issue if you don't add salt??

If it's needed any idea for custom salt?

August 26, 2017 3:03pm

Remember the salt only matters if someone steals your database. It increases the computational difficulty of deciphering the stored passwords. And I updated my previous comment regarding salt source.

August 26, 2017 3:09pm

How about do you know will my code has the risk to be injected?

Something like SQL injection issue will my javascript code facing that issue?

Will some of my code be commented by the value of the login form input?

August 26, 2017 4:55pm

Injection attacks are only a concern if you use data supplied by a user to build a command and then execute it. "SQL injection" is a specific case of this where the command is passed to the database engine. Proper handling of the data (known as "sanitizing") can prevent this.

Speaking of SQL injection, I can't resist mentioning this XKCD comic strip.

August 27, 2017 11:36am

Also Steven,

I'm watching a youtube video here: https://www.youtube.com/watch?v=8ZtInClXe1Q&t=1s

And after I watched this I have some question:

1) Will adding custom salt (userid) prevent the hacker find out the same password when you have your database bleach?

for example:

The hacker got into your database, then they saw the hashed password, then they saw some users hashed password is same so they thought it should be a common, popular password.

With the example above will adding custom salt prevents this?

August 27, 2017 2:30pm

You got it. The salt causes hashed versions of the same password to be different.

September 3, 2017 2:29am

How about encryption is the AES the best currently?

And also when we're building login system do we need to encrypt (not has) username (email) also since they might use the same username in other site and the hacker can prevent something like usernameinmysite';-- in other site

September 3, 2017 5:15am

The "hashing" we've been talking about is the same as encryption.

September 3, 2017 6:58am

But hashing in un-reversible so now I'm asking what's the best encryption currently

I'm using encryption to encrypt some other data

September 3, 2017 4:50pm

These also come out frequently, but I believe these are all currently considered very secure:

RSA
AES/Rinjdael 256
Triple DES

October 13, 2017 3:38pm

So let me make sure is AES symmetric and TDES and RSA asymmetric?

Also is there any ranking since looks like tdes has more keys then two other?

October 13, 2017 4:14pm

Those are all symmetric algorithms, I assumed that's what you wanted. I wouldn't worry about relative "ranking", those are just opinions and will differ based on the source.

October 13, 2017 4:29pm

Oh, I see, but why RSA's definition on wiki here has the following sentence

In RSA, this asymmetry is based on the practical difficulty...

And also in Asymmetric's wiki:

Some public key algorithms provide key distribution and secrecy (e.g., Diffie–Hellman key exchange), some provide digital signatures (e.g., Digital Signature Algorithm), and some provide both (e.g., RSA).

Also then what kind of asymmetric encryption would you recommend?

October 13, 2017 4:45pm

As stated in the wikipedia page, "More often, RSA passes encrypted shared keys for symmetric key cryptography ...".

And any meaningful recommendation for encryption would need to be based on a complete understanding of how it will be applied and the type of content it will be used on.

We seem to have diverged pretty far from the original question. Questions on other topics should have separate posts so people not already following can contribute.

Posting to the forum is only allowed for members with active accounts.
Please sign in or sign up to post.

Welcome to the Treehouse Community

Looking to learn something new?

Andrew Young

Andrew Young

Security questions about login

1 Answer

Steven Parker

Steven Parker

Andrew Young

Andrew Young

Steven Parker

Steven Parker

Andrew Young

Andrew Young

Steven Parker

Steven Parker

Andrew Young

Andrew Young

Steven Parker

Steven Parker

Andrew Young

Andrew Young

Steven Parker

Steven Parker

Andrew Young

Andrew Young

Steven Parker

Steven Parker

Andrew Young

Andrew Young

Steven Parker

Steven Parker

Andrew Young

Andrew Young

Steven Parker

Steven Parker

Andrew Young

Andrew Young

Steven Parker

Steven Parker