The era of passwords is over.
Craftman
Architect
Fullstack developer
Jeremie Drouet
@JeremieDrouet
https://github.com/jdrouet
https://www.inyoursaas.io/
https://github.com/in-your-saas
https://hub.docker.com/u/inyoursaas/
State of the "art"
1. User creates an account
2. Password is hashed and stored in the database
1. User sends his credentials
2. Hash the password and check if it matches
How do they break it?
Bruteforce
(Reverse) Lookup Table
Always put salt
What's the problem with passwords?
~300
accounts
87%
weak passwords
305
pwned websites
5,373,029,881
pwned accounts
77,551
pastes
84,632,923
paste accounts
Source: https://haveibeenpwned.com
5%
uses a password manager
How can I avoid that?
Make people use a secured password manager
Implement a 2 factor authentication system
Rely on a stronger system that provides authentication
How to implement a magic link
in Nodejs
Json Web Token
Header
{
"alg" : "HS256",
"typ" : "JWT"
}
Payload
{
"iat": 1422779638,
"first_name": "Jean Claude",
"last_name": "Van Damme"
}
Signature
HMAC-SHA256(
encodeBase64Url(header) + '.' +
encodeBase64Url(payload),
secret
)
Only the owner of the secret can forge a token
const jwt = require('jsonwebtoken');
const config = require('../config').get('jwt');
const generateToken = (user) =>
jwt.sign({id: user.id}, config.secret);
const jwt = require('express-jwt');
const config = require('../config').get('jwt');
app.use(jwt({
secret: config.secret,
credentialsRequired: true,
requestProperty: 'user',
}));
Sending it by email
const axios = require('axios');
const config = require('../config').get('catapulte');
const client = axios.create({baseURL: config.url});
client.post('/mails', {
template_id: '42424242',
from: 'rick@getschwif.ty',
to: 'morty@getschwif.ty',
substitutions: {
message: 'Show me what you got',
url: 'https://get.schwif.ty/authenticate?token=jwt-token',
},
});
https://jolimail.io
Put everything together
Some downsides
(or secret features)
If I forward the email to someone, he'll be authenticated with my account
What if I want to blacklist a certain token or certain user?
Questions?
The era of passwords is over
By Jérémie Drouet
The era of passwords is over
- 676