The era of passwords is over.

Craftman

Architect

Fullstack developer

Jeremie Drouet

@JeremieDrouet

https://github.com/jdrouet

https://www.inyoursaas.io/

https://github.com/in-your-saas

https://hub.docker.com/u/inyoursaas/

State of the "art"

1. User creates an account

2. Password is hashed and stored in the database

1. User sends his credentials

2. Hash the password and check if it matches

How do they break it?

Bruteforce

(Reverse) Lookup Table

Always put salt

What's the problem with passwords?

~300
accounts

87%
weak passwords

305
pwned websites

5,373,029,881
pwned accounts

77,551
pastes

84,632,923
paste accounts

Source: https://haveibeenpwned.com

5%
uses a password manager

How can I avoid that?

Make people use a secured password manager

Implement a 2 factor authentication system

Rely on a stronger system that provides authentication

How to implement a magic link

in Nodejs

Json Web Token

Header

{
 "alg" : "HS256",
 "typ" : "JWT"
}

Payload

{
 "iat": 1422779638,
 "first_name": "Jean Claude",
 "last_name": "Van Damme"
}

Signature

HMAC-SHA256(
 encodeBase64Url(header) + '.' +
 encodeBase64Url(payload),
 secret
)

Only the owner of the secret can forge a token

const jwt = require('jsonwebtoken');
const config = require('../config').get('jwt');

const generateToken = (user) =>
    jwt.sign({id: user.id}, config.secret);

const jwt = require('express-jwt');
const config = require('../config').get('jwt');

app.use(jwt({
  secret: config.secret,
  credentialsRequired: true,
  requestProperty: 'user',
}));

Sending it by email

const axios = require('axios');
const config = require('../config').get('catapulte');

const client = axios.create({baseURL: config.url});

client.post('/mails', {
    template_id: '42424242',
    from: 'rick@getschwif.ty',
    to: 'morty@getschwif.ty',
    substitutions: {
        message: 'Show me what you got',
        url: 'https://get.schwif.ty/authenticate?token=jwt-token',
    },
});