javascript - Is my authentication system secured? -


i want implement authentication system following practices, want simple possible , secured (im not going implement magic hashing function or feel hero..) wanting use known hash not sure right way of using it. read articles on how lastpass (a password management company) mange handle authentication , loved idea.so wanted implement own authentication based on it.

basically im creating authentication key password on client side (so password never sent plan text server). authentication key im sending server hashing operations in server side , compare result 1 inside database.

on client side:

auth_key = pbkdf2(sha256, password+username, last_login_fe_salt, fe_rounds)

explanation - hashing password+username+last_login_fe_salt text fe_rounds times

last_login_fe_salt -> random salt sent user once he/she input username in text field - honest, not sure how last_login_fe_salt efficent cryptography against dictionary attacks atleast 2 people having same password send different hashes on network. hacker can data asking server, can add server side limitations (req/s if makes difference etc.. let me know think) adding captcha might idea. when user logged in successfuly server generates new random string , saves in database.

*i didnt see explanation salt lastpass uses on client side hashing, using pbkdf2 algorithm needs salt parameter.

fe_rounds -> number of rounds given server when typing username - fixed , configurable server, in articles read lastpass dont explain receive client side number of rounds...

so send auth_key server...

on server side

now creating new hash compare 1 inside db. why hash? if understand correctly bind hash server side data, combination of password (that user knows) , server data.

db_auth=pbkdf2(sha256, auth_key, user_be_salt, 100,000+user_configurable_rounds)

user_be_salt -> random number saved in db known server , ones obtain database, changes on every successful login.

user_configurable_rounds -> number of iterations, every user can choose amount of iterations (like in lastpass) attacker need guess number or iterations?

i happy hear think authentication system, if wrong explain me why , tell me lastpass because did not understand entire authentication flow.

most of you're doing useless security perspective. lastpass has unusual security requirements -- don't treat them source of best practices.

if client responsible hashing, , of parameters hashing fixed, the hash becomes password. attacker doesn't need know original password; can pass hash server.

generally speaking, there no way verify password on network without either sending password across network (for traditional password authentication protocols), or having server store password in plaintext (for less commonly used protocols srp). of two, former preferable, it's possible secure password in transit using protocols ssl/tls, whereas protocols srp require plaintext of password operate.

tweaking pbkdf round count, either on client or server side, pointless. set fixed round count makes hash slow, not slow place undue load on client or server. (100,000 rounds excessive server-side hash. takes half second verify password settings, 2 login requests per second use 100% of 1 core on server!)


Comments

Post a Comment

Popular posts from this blog

javascript - Create a stacked percentage column -

i have collection of data : var data = [ {"p301a":"10","p301b":"7","p301c":"7","p301d":"3","p301e":"8","p301f":"8","p301g":"8","p301h":"8","p301i":"8","p301j":"8","p301k":"8","p301l":"8","p301m":"8","p301n":"8","p301o":"8","age":"31-40 years","profesion":"2","position":"2"}, {"p301a":"5","p301b":"4","p301c":"4","p301d":"4","p301e":"4","p301f":"4","p301g":"4","p301h":"4","p301i":"4","p301j":"4","p301k":"4...
Read more

Optimising Firebase database by automatically overwriting data -

in firebase app have following structure: posts latest all users can write posts > latest . want limit entries 20 posts save space in database. , posts beyond 20 unnecessary never shown on homepage. how can limit posts 20, when user writes posts > latest posts @ end drop off (be deleted) automatically? this sample should you. you need : const max_log_count = 20; exports.removeold = functions.database.ref('/posts/latest/{postid}').oncreate(event => { const parentref = event.data.ref.parent; return parentref.once('value').then(snapshot => { if (snapshot.numchildren() >= max_log_count) { let childcount = 0; const updates = {}; snapshot.foreach(function(child) { if (++childcount <= snapshot.numchildren() - max_log_count) { updates[child.key] = null; } }); // update parent. removes children. ...
Read more

javascript - Angular UI-Grid customTemplate directive causing rows to load slowly/? -

Image
each grid cell can have more 1 customtemplate loaded. have directive holds watcher on model_col_field listen cell updates on scroll when dom rows updated , recompile celltemplate . without watcher , $compile rows repeat on scroll, showing same set of rows. is there more angular way of approaching or way improve performance? relevant controller code: create gridoptions.data & gridoptions.columndefs : var customtemp = '<div ng-repeat="opt in grid.appscope.colvalueoptionsmodel" ng-init="tempstring=model_col_field.clazz+opt.key;"><comparison-directive dbo="model_col_field" attobj="opt" fff="grid.appscope.getattributetemplate(tempstring)" /></div>'; $scope.gridoptions.columndefs = [ { name:'yindex',pinnedleft:true,celltemplate: customtemp, displayname:'index'}, { name:'col1',celltemplate: customtemp}, { name:'col2',celltemplate: c...
Read more