How Not to Do Authentication in Node.js
Submitted by Shreyansh Pandey (@weirdpanda) on Sunday, 30 September 2018
Google the term “authentication in node.js” and you will be greated with thousands of tutorials on how to create a database table with the fields and verify the hash; that’s it. The problem is that security and authentication is not that simple; it can be easy, but you need to work a little for that. In this talk, we will go over some bad methods of authentication and then we’ll look at the good ones followed by a live coding session to show how easy it is to implement this in real life. The talk assumes that the audience does not hold a bachelor’s in applied mathematics just; if you do, it’ll be even better.
- What? Why? How?
- Bad ways
Effects of the bad ways
- Common misconceptions about authentication and, in general, cryptography
Introduction to Modern Ways of Credential Storage
- bcrypt, SHA-*
- Problems with these methods
- NIST standards
- PBKDF, etc.
- Dream crusher
- Common mistakes
- Easy, yet reliable methods
- Bad solution (with JWT)
- Average solution
- Good solution
A laptop with the Node.js environment, a text editor and some zeal!
A 19-year old programmer, amateur mathematician and a student from India. In the past 9 years I have honed my skills in Node.js, ReactJS, AWS and NoSQL databases with competitive experience in PHP and .NET (Windows Forms). My primary areas of interest are secure data channels, asymmetric cryptography, group theory and number theory with a pinch of applied geometry. Currently working as a backend developer at Isomr Studios Private Limited in India.