Authentication

:arrow_backward: BACK Authentication technology provides access control for systems by checking to see if a user’s credentials match the credentials in a database of authorized users or in a data authentication server. In doing this, authentication assures secure systems, secure processes and enterprise information security.

Securing Passwords

-Passwords are the first line of defense against cyber criminals -storing passwords in clear text in your database is ridiculous -it has to be stored using a hashing-algorithm

Cryptographic hash algorithms: -designed to calculate a digest of huge amounts of data in as short a time as possible -hashing is the greatest way for protecting passwords and considered to be pretty safe for ensuring the integrity of data or password. if someone steals the database with hashed passwords, they only make off with the hashes and not the actual plaintext passwords but there are some weaknesses in cryptographic hash algorithm that allows an attacker to calculate the original value of a hashed password like : -Brute Force attack: Hashes can’t be reversed -Hash Collision attack: Hash functions have infinite input length and a predefined output length

Basic Auth

basic access authentication is a method for an HTTP user agent to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic credentials, where credentials is the Base64 encoding of ID and password joined by a single colon :

Features HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it does not require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header.

Security The BA mechanism does not provide confidentiality protection for the transmitted credentials so basic authentication is typically used in conjunction with HTTPS to provide confidentiality.

Server side When the server wants the user agent to authenticate itself towards the server after receiving an unauthenticated request, it must send a response with a HTTP 401 Unauthorized status and a WWW-Authenticate header field.

WWW-Authenticate: Basic realm=”User Visible Realm”

Client side When the user agent wants to send authentication credentials to the server, it may use the Authorization header field.

The Authorization header field is constructed as follows

The username and password are combined with a single colon (:). This means that the username itself cannot contain a colon.

OWASP auth cheatsheet

Authentication General Guidelines :

-User IDs :Make sure your usernames/user IDs are case-insensitive. Usernames should also be unique. For high-security applications.

Authentication Solution and Sensitive Accounts :

Do NOT allow login with sensitive accounts to any front-end user-interface Do NOT use the same authentication solution ) used internally for unsecured access.

Implement Proper Password Strength Controls

Password Length Minimum length of the passwords should be enforced by the application. Passwords shorter than 8 characters are considered to be weak (NIST SP800-63B). Maximum password length should not be set too low, as it will prevent users from creating passphrases. A common maximum length is 64 characters due to limitations in certain hashing algorithms, as discussed in the Password Storage Cheat Sheet

bcrypt docs

node.bcrypt.js : A library to help you hash passwords.

If You Are Submitting Bugs or Issues : -Verify that the node version you are using is a stable version;

Compatibility Note :Compatibility with hashes generated by other languages is not 100% guaranteed due to difference in character encodings. However, it should not be an issue for most cases.

Install via NPM :

npm install bcrypt

Usage :

//sync (recommended)
const bcrypt = require('bcrypt');
const saltRounds = 10;
const myPlaintextPassword = 's0/\/\P4$$w0rD';
const someOtherPlaintextPassword = 'not_bacon';
//To hash a password:
//Technique 1 (generate a salt and hash on separate function calls):

bcrypt.genSalt(saltRounds, function(err, salt) {
    bcrypt.hash(myPlaintextPassword, salt, function(err, hash) {
        // Store hash in your password DB.
    });
});
//Technique 2 (auto-gen a salt and hash):

bcrypt.hash(myPlaintextPassword, saltRounds, function(err, hash) {
    // Store hash in your password DB.
});
//Note that both techniques achieve the same end-result.

//To check a password:
// Load hash from your password DB.
bcrypt.compare(myPlaintextPassword, hash, function(err, result) {
    // result == true
});
bcrypt.compare(someOtherPlaintextPassword, hash, function(err, result) {
    // result == false
});