Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

1lann

Member
  • Content Count

    2
  • Joined

  • Last visited

Awards


This user doesn't have any awards

About 1lann

  • Title
    Newbie
  1. 1lann

    Programmers Lounge

    Hi, I'm in my last year of high school so I still have a lot to learn (Then again, no matter how long you've spent in the software engineering industry, there's always more to learn). I develop on OS X, and run Ubuntu server on my servers. These days I mainly program in Go and JavaScript (I'm an absolute fan of Go). But I can program in C/C++, Python and Lua too. I really enjoy writing web applications and utilities (kinda like systems programming). I'm a fan of OOP, but not Java. Java and PHP are actually my most disliked languages.
  2. 1lann

    classified website creation thread

    This is generally a good idea as it reduces the severity of data leaks since it isn't possible to leak passwords, and is often more convenient for users to just login with an existing account. However for privacy reasons, some people don't like logging in with their Facebook or Google accounts to some sites, or wish to keep themselves anonymous, or want to have multiple accounts. I feel like the best option would be to have both OAuth and your own authentication. You certainly should read up on some OWASP articles before you attempt to implement your own authentication, as they cover most web vulnerabilities and describe them in detail. Here's one to start you off https://www.owasp.org/index.php/Authentication_Cheat_Sheet. Unfortunately some small vulnerabilities aren't covered in the cheat sheet, such as timing attacks, which you can prevent by using constant time comparison functions. Also I recommend using a hashing algorithm like scrypt, or bcrypt if scrypt is too memory intensive. Avoid using SHA or weaker hashing algorithms, as their use in authentication is often implemented incorrectly and can be brute forced relatively quickly. Algorithms like scrypt and bcrypt are intentionally resource intensive and slow to make brute forcing as slow as possible, and have a built in salt. scrypt is just a memory intensive variant of bcrypt to prevent brute forcing through the use of GPUs.
×