There are lots of best practices when working with passwords: encrypt them, salt them, use the best algorithm (bcrypt), protect your keys by keeping them in a secure place, don't leak information like if an email is in use when you reset a password, and so on and so on. But what if I told you that you don't need to keep up with the latest algorithms and security passwords?
One of the reasons you should strongly consider to not (or stop) storing passwords is risk mitigation. With the ever growing frequency of cyberattacks and data theft, it's one less thing to worry about. Third parties can handle brute force attempts, enforcing good password policies, and storing the passwords themselves. This means you just have to verify the JWT you get in exchange, and the hard parts are left to someone else. No one can hack your login and no one can steal your passwords, because all of that is offloaded.
There are plenty of legacy systems out there that still need attention and development, so the question is: how do we stop storing passwords and make a seamless migration, while hopefully not being disruptive? It's actually really easy.
Auth0 comes with a lot of things out of the box. They can host a configurable login screen for you, handle password resets, provide logging, and admin functions, and so on. All you have to do is flip a switch create a script that calls your api that gets a user (id and email), and you're pretty much done. Really.
Auth0 has a feature called "Import Users to Auth0" on database connections. Enable it and the first time a user logs in, an Auth0 user will be created, using their current password. Next time a user logs in they will authenticate against Auth0. Easy peasy. Congratulations, you never need to verify their password again.
The script on the Auth0 side looks something like this:
function login(email, password, callback) {
const request = require('request');
const payload = {email,password};
request.post({
url: 'https://yoursite.com/login',
followAllRedirects: true,
headers: {"Content-Type": 'application/json'},
body: JSON.stringify(payload)
}, function(err, response, body) {
if (err) {
return callback(err);
}
if (response.statusCode !== 200) {
return callback();
}
const user = JSON.parse(body);
callback(null, {
user_id: user.id,
email: user.email
});
});
}
The rest comes down to customizing the login widget and emails, switching your login page to redirect to the hosted page, and verifying that JWT on each request. Almost no code at all.
If you're interested in outsourcing your authentication, I highly recommend this approach. It buys you peace of mind and you gain value in a matter of hours.