Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Introduction to Application Security

Well done!

You have completed Introduction to Application Security!

Sign up for Treehouse Back to Library

Implementing Authentication

4:07 with Alena Holligan and Jared Smith

In this video, we will dive into some best practices of implementing your own authentication on the web.

New Terms

  • CAPTCHA and ReCAPTCHA: these are methods/services to verify that a human is the actual one performing an action. When you see fields that make you put the letters in a picture in, or in the case of ReCAPTCHA to select pictures with certain objects, you’re using a CAPTCHA system. CAPTCHAs evolved out of academic research at Carnegie Mellon by Nick Hopper and Manuel Blum.

Practice

Documentation

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    Let's dive into some of the best practices of 0:00
    implementing your own authentication on the web. 0:03
    Hash passwords, when storing users' passwords, the most important 0:07
    think to keep in mind is that you should always hash your passwords. 0:12
    Hashing is a one-way process of securing data with a strong algorithm. 0:17
    Without getting too much into the cryptography of hashing, essentially, 0:23
    as of 2017, you should be using the bcrypt hashing 0:28
    algorithm which has implementations in every major language. 0:32
    The hash password can never be retrieved in plain text. 0:37
    Instead, the entered password is hashed in the same way as the stored password. 0:41
    These 2 hashes are then compared to verify a match. 0:48
    Due to the way bcrypt works, if anyone compromises your server and 0:53
    gets their hands on your hashed passwords, 0:58
    it will usually take longer than the lifetime of the known universe 1:01
    to reverse the hash, with even the strongest modern super computers. 1:05
    Remember, hash your passwords, never encrypt them. 1:10
    If someone steals the key that you used to encrypt passwords, 1:14
    then you might as well have never encrypted them. 1:18
    And managing a cryptographic key in the business logic of 1:21
    a web application is a very risky move. 1:25
    If you can decrypt a password, then so can someone else. 1:28
    Verify email addresses. 1:32
    When you do provide your own sign-up mechanism, you should verify the email 1:37
    addresses you ask your users to provide, assuming you use that in the process. 1:42
    This is one step in preventing malicious users from abusing your service and 1:48
    registering mass accounts at once. 1:53
    However, this is not an all-in-one protection against login abuse. 1:56
    Use CAPTCHAs. 2:01
    You should also consider using a CAPTCHA system such as Google's reCAPTCHA 2:03
    in order to deter bots from signing up on your site. 2:08
    Implement rate limiting. 2:12
    Another common practice is to limit the number of login requests from a single IP 2:15
    address or client over a period of time. 2:20
    For example, if you notice that a single IP 2:24
    address has attempted to log in 20 times in the last 5 minutes, 2:27
    you should respond with an access denied for a certain amount of time. 2:32
    This prevents automated services from either trying to guess your 2:37
    users' passwords or creating massive amounts of users at once. 2:41
    However, you should be careful when rate limiting by IP as some 2:45
    networks proxy many users through the same IP. 2:49
    In general, whenever you can rate limit via a known user token, 2:54
    that is the preferred method. 2:58
    Allow or require 2-factor authentication for users. 3:01
    The final security measure you can provide your user 3:06
    is the ability to use 2-factor authentication. 3:09
    You can do this easily through SDKs and 3:13
    libraries available in nearly every language. 3:15
    Keep in mind that using SMS for 2-factor authentication is now discouraged 3:19
    as attackers can easily spoof phone numbers. 3:24
    Because of broken processes, many Internet and 3:28
    phone service providers allow anyone with a small amount of personal information 3:31
    to get access to a person's text messages. 3:36
    Attackers can now get the same text messages you send to a user's phone for 3:39
    2-factor authentication, allowing them to log in before the victim does. 3:44
    Therefore, using 2-factor authentication from services like 3:49
    Google Authenticator, do a security, and Authy is recommended. 3:54
    Again, libraries and APIs exist for 4:00
    each of these providers and are often free to use. 4:04

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up