Closed TroyKomodo closed 1 year ago
mmattbtw
commented
1 year ago we should go passwordless
could use Auth.js
TroyKomodo
commented
1 year ago I dont think going passwordless is best, I think having both is good. So like you can go passwordless if you have an email and we can send you a magic link?
Auth.js wont work since we are not using a javascript backend.
treuks
commented
1 year ago if we're going with cloudflare then https://www.cloudflare.com/products/turnstile/ for the captcha
TroyKomodo
commented
1 year ago @treuks is it free?
treuks
commented
1 year ago ye
IS2511
commented
1 year ago for the password hashing algo, i have previously used argon2 and bcrypt, I believe argon2 was the best however I havent kept up with the state of password hashing.
AFAIK "argon2 + salt + pepper" is the last word in password hashing. bcrypt is practically legacy by now. Giving it a quick search just^1 in^2 case^3, I see no problems. I would encourage to read the OWASP cheatsheet^1 in particular.
If we really want to get into it, we could try to follow NIST guidelines^4. Document B says you SHOULD salt and lists a few recommended options for hashing:
Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON]. A memory-hard function SHOULD be used because it increases the cost of an attack. The key derivation function SHALL use an approved one-way function such as Keyed Hash Message Authentication Code (HMAC) [FIPS 198-1], any approved hash function in SP 800-107, Secure Hash Algorithm 3 (SHA-3) [FIPS 202], CMAC [SP 800-38B] or Keccak Message Authentication Code (KMAC), Customizable SHAKE (cSHAKE), or ParallelHash [SP 800-185].
But if we don't need FIPS-140^5 compliance, I don't think we need to strictly follow that.
Need to create the page for signup and login Should use some sort of reCAPTCHA system to try mitigate bot accounts.
for the password hashing algo, i have previously used argon2 and bcrypt, I believe argon2 was the best however I havent kept up with the state of password hashing.