Securing the locks to your accounts - abukhalil-LTUC-ASAC/amman-401d4 GitHub Wiki
Not Web Security Yet
But still is about security! User authentication is an ongoing topic, and ever changing as long as there is progress to how fast your password could be cracked, new cheat algorithms to speed the process and even simple social hacking using commonly used passwords that were not commonly used before!
Password Rituals
First steps into securing your password usually involves simple steps of using memorable, non common passwords like password: PASSWORD
. Other times it involves not using the same password everywhere! It is imperative to be self conscious of some practices, and even better if you managed to understand the whole technical background.
Bcrypt Hashing Functions
One way to protect passwords in the virtual word is by NOT storing it as plain text, usually through hashing through some methods such as MD5, SHA1, SHA256, SHA512, SHA-3
. Now if you are familiar with cryptography through movies or interest into the topic it is quite similar, it involves replacing letters and phrases with other components.
There are two problems with general purpose cryptographic hashing. One is what you'd expect with computers, as in iterating inputs quickly to produce the same hash output, and the other involves being lucky with an input that does not exactly match the original but has the same has function since the input is virtually unlimited but the output is within limits of the function.
The direct answer to how to increase difficulty is just to make it longer to do so, and to do that in the digital world you want something that would turn O(n) time complexity to O(n^2) or worst! Using methods such as key stretching by recursion in hashing is one way, another simply involves adding more strings beforehand.
Web Tokens & Authentications with JWT
JSON Web Token is a way the web handles authentication, it involves a JSON object and a secure path to the destination using something called signed signature that verifies that this is data that I sent, encrypted signatures hides the verification from third party lookers.
Since JWT is the way of the web, it is used in authentication and information exchange, something I'd image third party authentication also uses. The JWT is attached to every request from then onwards and has values dependent on the headers request plus the payload which is mostly tamper free.
JWT Object is defined as:
Header
includes the type of token (JWT) and the signing algorithm (HMAC SHA256 or RSA)[https://en.wikipedia.org/wiki/Digital_Signature_Algorithm]Payload
has claims and content, claims define the user who is sending the request on some restrictions depending if its registered or public, or non restricted private claims.Signature
an HMAC SHA256 algorithm would involve using the header and payload to produce a value for verification purposes. Something similar to checksum that makes sure of file integrity on the receiving side.
The rest could be further explained on how and why JWT is being used, which is quite a complicated topic for the moment. However take a look into the following link to know how to apply proper authentication.