*deploys new VPS*
Click clack tap.. alright, done.
*notices that I accidentally made an Ubuntu 14.04*
Well shit... Guess I'll have to update that immediately to 18.04 then.
*logs in, immediately disables SSH password auth*
# systemctl restart sshd
> systemctl: command not found.
What the fuck..?
What was the command for that old init again.. >_<
# /etc/init.d/ssh restart

WHY THE FUCK IS THIS UBUNTU STILL USING THAT OLD INIT?!! Goddamit, Canonical living up to the philosophy of its Debian counterpart indeed!

Why nobody uses public/private key authentication for ssh and disable password auth?

Am I the only one around here doing this?

Auth Endpoint:

user name and password correct:
- response 200: with session key and profile info
user name and password incorrect:
- response 200: blank

smh

Saw this security blunder a while ago. Went onto some site and it showed me this username/password dialog (probably an apache's htpasswd or nginx one). Went away but returned quickly because I noticed I could see all content. Then I thought 'why the fuck not try?' so I dragged the auth popup thingy to the side of the screen and et voila... I could interact with the page as if nothing was wrong while the authentication popup was hovering above the page on the right!

I sat there giggling dramatically for a while.

how to be a shitty client:
- have a legacy database where column names are misspelled and everything is nullable
- hire external help which instead of helping break the ui (bonus points for breaking the api too)
- demand a very much custom auth logic but decide to use aws cognito for shits and giggles
- demand 1hr daily meetings
- demand biometric auth with 0 knowledge of how biometric auth works (the previous devs just had a face id prompt which does nothing and retrieved email and password saved on the device???)
- message me at 2am because you don't understand how timezones work + demand a build while you're at it
- call me a "heretical pagan" because i took a day off on a holiday you don't celebrate (???)

i could go on but i think this is enough

Google has a password reset procedure so intense, that even if I can sign into my recovery account and give them the code from there, use 2 factor auth and give them the code from there, tell them my recovery phone(s) number(s), give them my mother's father's mother's late cousin twice removed daughter's maiden name, and whatever other security measures were set in place, I can't get a fucking password reset. Thanks Google, fuck you.

Fuck this
I get to work with API where you CAN authenticate with username/password and get a token

But you CAN'T get user info from token (auth response contains ONLY token)

So what I have to do:

1. Get token

2. Request ALL FUCKING USERS and load them into my DB

3. Search through local DB by username and, yeah, here I go

Now I need to have a cron job to update user DB 1/2 times per day

I can't think of ANY reason not to allow this

Today my grandmother called and told me she wasnt able to login to her account for her ISP. Alright, maybe shes confused about the passwords as we had to change it recently. No, turns out they still have this "oh sorry you typed your password incorrect three times, so we will lock your account and your granny have to do the 2 hour telephone queue"

You and your fucking outdated auth practise can go and kindly fuck yourself. Fix this shit before I get real mad.

So I've been working a lot with Docker lately (who isn't) and there was this one service always DIEING on me.
Docker logs showed me that it was killed because the container was unhealthy.
I researched for a whole day and couldn't find it...
After I got home it hit me like a hammer...
The healthcheck uses basic Auth and the password was changed yesterday...

How the fuck could I start to try every shit before I even checked if the request done by the healthcheck is working...

FUCK ME I'M SUCH A MORON SOMETIMES

I find it funny that as soon as I disable password authentication on my server and enable key auth then all of the bots spamming my server with incorrect login requests instantly stop when they realise that they aren’t getting through any time soon. Also don’t ask why I don’t have Fail2Ban and a firewall set up.

Let's talk about the cargo cult of N-factor authentication. It's not some magic security dust you can just sprinkle onto your app "for security purposes".

I once had a client who had a client who I did server maintenance for. Every month I was scheduled to go to the site, stick my fingerprint in their scanner, which would then display my recorded face prominently on their screens, have my name and purpose verified by the contact person, and only then would the guards let me in.

HAHA no of course not. On top of all of that, they ask for a company ID and will not let me in without one.

Because after all, I can easily forge my face, fingerprints, on-site client contact, appointment, and approval. But printing out and laminating a company ID is impossible.

---

With apologies to my "first best friend" in High School, I've forgotten which of the dozens of canonicalisations of which of your nicknames I've put in as my answer to your security question. I've also forgotten if I actually listed you as my first best friend, or my dog - which would actually be more accurate - and actually which dog, as there are times in my High School life that there were more tails than humans in the house.

I have not forgotten these out of spite, but simply because I have also forgotten which of the dozen services of this prominent bullshit computer company I actually signed up for way back in college, which itself has been more than a decade ago. That I actually apparently already signed up for the service before actually eludes me, because in fact, I have no love for their myriad products.

What I have NOT forgotten is my "end of the universe"-grade password, or email, or full legal name and the ability to demonstrate a clear line of continuity of my identity from wherever that was to now.

Because of previous security screwups in the past, this prominent bullshit company has forced its users to activate its second, third, and Nth factors. A possibly decade-old security question; a phone number long lost; whatever - before you can use your account.

Note: not "view sensitive data" about the account, like full name, billing address, and contact info. Not "change settings" of the account, such as changing account info, email, etc. Apparently all those are the lowest tier of security meant to be protected by mere "end of the universe"-grade passwords and a second factor such as email, which itself is likely to be sold by a company that also cargo cults N-factor auth. For REAL hard info, let's ask the guy who we just showed the address to "What street he lived in" and a couple others.

Explaining this to the company's support hotline is an exercise in...

"It's for your security."

"It's not. You're just locking me out of my account. I can show you a government ID corroborating all the other account info."

"But we can't, for security."

"It's not security. Get me your boss."

...

"It's for security."

When depression set in, I thought pain relief lied in getting duller. People I called “stupid” — who lived simple lives filled with alcohol and lack of any talent or purpose — weren't suffering. Better even, they denied the existence of depression.

My “wish” was granted when they prescribed cariprazine. In two months, I lost my ability to read, let alone code.

Before that, even depressed, writing a simple email/password auth was a matter of ten minutes in any of the languages I knew how to do web in (JS, Python, Clojure, PHP). But on cariprazine, I remember myself not quite getting what an HTML form was.

Tell you what… you should never wish to become dumber. When I was smart and depressed, the pain was real, but it felt like… let's say a breakup. When I was dumb and depressed, it felt like being raped with a red-hot soldering iron. Or like being skinned alive. Or like when 100% of your skin is a third-degree burn. The pain weren't listening to me, as my mouth was glued shut as if I was Keanu in the first Matrix movie. You can't say, do or think anything, at all, to ease your pain somehow. You can't even realize that just DMing or calling someone is probably a good idea.

Instead of you vs. despair situation from when you were smart, now it's just despair that is actively melting you, so you two become one. Even time loses its meaning. There is nothing out there but suffering.

If you're smart(er than I was at my lowest), DO cherish it. Losing that will spell disaster. So stay away from substances that can facilitate that loss.

Boss: so we've got to call an app to verify data in this project. But I've got no more info and I'm on holiday next week. Please contact GuyA next week.
Me: ok I guess?
*writes email to GuyA*
GuyB: GuyA is on holiday please hold the line
*1 week later*
GuyA: we need more time it's not ready yet
*2 weeks later?
Me: so?
GuyA: yeah it's ready here's the wsdl etc your client already has the password
*1 week later*
Me: yeah so I got the data but the api says my auth isn't working
GuyB: yeah your user isn't activated on the test system. I'm gonna forward that and come back at you
*1 week later*
GuyA: so we're going live in about 2 weeks hows testing going?
Me: well I'm still waiting for the response and activation
*suddenly it works*
Me: yeah so auth is working but i can't find any data. Is there any special test data?
GuyA: oh no there is NO test data on the test system. You need to wait for GuyB but he us not here today...
Me: are you fking kidding Me?????

... no response since then and it's been days....

Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!

System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.

Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.

Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.

That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.

We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.

Hella excited about this!

If you guys have any suggestions let us know. We are utter noobs when it comes to this.

Security is a joke. And people don't seem to get it. Especially Data mungers.

I've spent about half an hour trying to work out how to securely connect to power BI using PowerShell in a renewable manner for unattended access later on.

Every single example I've found seems to involve you storing $user and $password variables inside your script. If I'm lucky, they're going to pass them through ConvertTo-SecureString. And nobody talks about securely storing AD auth tokens, or using the Windows Credential Manager.

I know it's possible, but it's going to take me ages to work out how from all sorts of disparate sources...

Your three-second password retry delay is far more likely to annoy users than preventing a brute-force attack.

If you insist on a retry delay, let the user enter a password five times without any delay. This would make no difference in the grand scheme, the trillions of retries needed for a brute-force attack, and guessing a password takes longer than three seconds of thinking anyway.

Another alternative is a tenth of the password retry delay but one added character. One added character slows down a brute-force attack by at least sixty-two (62) times, so one more character but a tenth of the password retry delay would still mean more than six (6) times the protection against brute-forcing.

On Linux, the password retry delay can thankfully be reduced by changing a value inside /etc/pam.d/common-auth or /etc/pam.d/login (out of scope for this post, you can search online for more details).

I am trying to "invent" secure client-side authentication where all data are stored in browser encrypted and only accessible with the correct password. My question is, what is your opinion about my idea. If you think it is not secure or there is possible backdoor, let me know.

// INPUT:
- test string (hidden, random, random length)
- password
- password again
// THEN:
- hash test string with sha-512
- encrypt test string with password
- save hash of test string
// AUTH:
- decrypt test string
- hash decrypted string with sha-512
- compare hashes
- create password hash sha-512 (and delete password from memory, so you cannot get it somehow - possible hole here because hash is reversible with brute force)

// DATA PROCESSING
- encrypt/decrypt with password hash as secret (AES-256)

Thanks!

EDIT: Maybe some salt for test string would be nice

Pulled my hair out over one today (and a week ago when I first saw the issue)

Setting up development environment. Created test user and test database and used mysqldump to copy data over.

MySQL was executing a function as the wrong user. Checked my config files, checked my config reader, checked my database connection, checked checked checked. Checked everything twice, I felt like Santa.

Changed the password in the config file to make sure it was logging in right. It threw an error still but not one I had expected so I figured the login still worked (My bias was that I thought the config file was not working or the mysql library was caching authentication. Both were wrong but this blinded my debugging. Foolish, I have forgotten my training)

Logged into the database directly via client. *didn't bother executing the function because I was only testing auth*

Think
Think
Think

Search entire project for database username. It's gotta be hard coded by accident SOMEWHERE.

It's not.

Why
Why
Why

Wait.

-- Flashback to how the test db was created -- What's actually in this damn script?

DEFINER `production_user` CREATE PROCEDURE `old_db`.`procedure_name`

Two issues: definer is old user (this is the error I was seeing) and its creating the procedure on the old db (this would be the next error I would have found if I kept going)

Fuck mysqldump. Install mysqldbcopy. Works

Put hair back in head.

I use google auth for 2FA. Had to factory reset my phone for some reason. Meanwhile, github one day forced me to change my password. So I used the back up recovery code to change the password and then logged out. I was in a hurry and actually forgot to set up the new 2FA. But hey I have got the recovery codes right.

But, guess what? The recovery codes are not working anymore! Wtf github?

>finally gets around to installing vsftpd on home server RPi
>doesn't work
hmm.mp2
>configurating
>confusing as fuck template documentation
>man page isn't much better
>gets it working
>goes to log in
User: pi
Password: a
(What? It's a home file/command server isolated from the Internet. Sue me.)
nope.avi
>why
>tries again
nope.svg
>FUCK
>sees small raw-command log in bottom-right of phone FTP client
hmm.flac
>tries again, watches log
PASS *****
>the fuck
>goes to change user pass over SSH
# passwd
"Current password?"
about half a second later
"passwd: auth token manipulation denied"
>the delay tho
>WAIT A SECOND
one time i got past some parental software bullshit on a tablet by abusing the delay between opening a banned app and the redirect to the normal software at like age 7. (Doing so let me enable remote wipe through Google. bye bye software!)
>*inner 7 year old has autistic screech*
# nano temp
a
abcdefghi
abcdefghi
^O Y ^X
# passwd < temp
>fucking works
>logs in to FTP server successfully
>does the one file download that was needed

why and how did that fucking work

Am I incredibly paranoid with my idea of multiple(>2)-factor-auth like fingerprint+yubikey+password+OTP aso?

Just built a solid desktop app for MacOS with Flutter that's worthy of shipping. I gotta say I'm pretty stoked about it, even if it isn't nearly as dope as LOIC. Haha chargin muh lazers!
I'll get some screenshots up soon!!
I also wrote a comple CLI interface for Firebase management using Python. Advanced auth abilities, CRUD capability, full json import/export, verification/password resets, you name it. Well, except full Firestore/mobile OTP features but it's still a win. Actually dicked around and made a cool little Firebase chat program in the terminal with the Python interpreter.
Finished up my first apps in React, React-Native and Ember, my 2nd with Electron, and also got my first Firebase hosted site up and running. Solid day!!! Cheers to that. And cheers to all of you amazing bastards!

I have 2FA enabled on NPM so it would shut up about it, the recovery codes are in my password manager, right next to my secure randomly generated password.

Password authentication is fucking stupid.

I recently started working on laravel. As the community says it was easy to get along with the framework and its methodologies. But then i had to do multiple login with framework in same domain.

Oh man, i spent a week to make it work. All those guards and middlewares realted to login was driving me crazy. The concept was clear, but somehow the framework was like "You! I shall make you spend a week for my satisfaction". The project demo was nearing and i was doing all kind of stuff i found. Atlast after continous tries it worked. Never in my 4+ years as a developer i had to face such an issue with login.

So here is how it works,if anyone faces the same issue:
(This case is beneficial if you're using table structures different from default laravel auth table structures)

1. Define the guards for each in auth.php
Eg:
'users' => [
'driver' => 'session',
'provider' => 'users',
],
'client' => [
'driver' => 'session',
'provider' => 'client',
],
'admin' => [
'driver' => 'session',
'provider' => 'admins',
],

2. Define providers for each guards in auth.php
'users' => [
'driver' => 'eloquent',
'model' => <Model Namespace>::class,
'table' => '<table name>', //Optional. You can define it in the model also
],
'admins' => [
'driver' => 'eloquent',
'model' => <Model Namespace>::class,
],
'client' => [
'driver' => 'eloquent',
'model' => <Model Namespace>::class,
],

Similarly you can define passwords for resetting passwords in auth.php

3. Edit login controller in app/Http/Controller/Auth folder accordingly
a. Usually this particular line of code is used for authentication
Auth::guard('<guard name>')->attempt(['email' => $request->email, 'password' => $request->password]);
b. If above mentioned method doesn't work, You can directly login using login method
EG:
$user = <model namespace>::where([
'username' => $request->username,
'password' => md5($request->password),
])->first();
Auth::guard('<guard name>')->login($user);

4. If you're using custom build table to store user details, then you should adjust the model for that particular table accordingly. NOTE: The model extends Authenticatable
EG
class <model name> extends Authenticatable
{
use Notifiable;

protected $table = "<table name>";

protected $guard = '<guard name>';

protected $fillable = [
'name' , 'username' , 'email' , 'password'
];

protected $hidden = [
'password' ,
];

//Below changes are optional, according to your need
public $timestamps = false;
const CREATED_AT = 'created_time';
const UPDATED_AT = 'updated_time';

//To get your custom id field, in this case username
public function getId()
{
return $this->username;
}
}

5. Create login views according to the user types you required

6. Update the RedirectIfAuthenticated middleware for auth redirections after login

7. Make sure to not use the default laravel Auth routes. This may cause some inconsistancy in workflow

The laravel version which i worked on and the solution is for is Laravel 6.x

Here is the REST API design of my LEAD programmer
# Access the API
1. Get access token with out username and password (GET /token)
2. Sign in with username, password and add access token as query param (POST /user/auth?token=[access_token]
3. Call other resources by adding token as query param

# Create new objects
- He uses PUT method in every resources to create new objects

Trying to make a nodejs backend is pure hell. It doesn't contain much builtin functionality in the first place and so you are forced to get a sea of smaller packages to make something that should be already baked in to happen. Momentjs and dayjs has thought nodejs devs nothing about the fact node runtime must not be as restrained as a browser js runtime. Now we are getting temporal api in browser js runtime and hopefully we can finally handle timezone hell without going insane. But this highlights the issue with node. Why wait for it to be included in js standard to finally be a thing. develop it beforehand. why are you beholden to Ecma standard. They write standards for web browser not node backend for god sake.

Also, authentication shouldn't be that complicated. I shouldn't be forced to create my own auth. In laravel scaffolding is already there and is asking you to get it going. In nodejs you have to get jwt working. I understand that you can get such scaffolding online with git clone but why? why express doesn't provide buildtin functions for authentication? Why for gods sake, you "npm install bcrypt"? I have to hash my own password before hand. I mean, realistically speaking nodejs is builtin with cryptography libraries. Hashmap literally uses hashing. Why can't it be builtin. I supposed any API needed auth. Instead I have to sign and verfiy my token and create middlewares for the job of making sure routes are protected.

I like the concept of bidirectional communication of node and the ugly thing, it's not impressive. any goddamn programming language used for web dev should realistically sustain two-way communication. It just a question of scaling, but if you have a backend that leverages usockets you can never go wrong. Because it's written in c. Just keep server running and sending data packets and responding to them, and don't finalize request and clean up after you serve it just keep waiting for new event.

Anyway, I hope out of this confused mess we call nodejs backend comes clean solutions just like Laravel came to clean the mess that was PHP backend back then.

Express is overrated by the way, and mongodb feels like a really ludicrous idea. we now need graphql in goddamn backend because of mongodb and it's cousins of nosql databases.

hey, so i have recently started learning about node js and express based backend development.

can you suggest some good github repositories that showcase real life backend systems which i can use as inspiration to learn about the tech?

like for eg, i want to create a general case solution for authentication and profile management : a piece of db+api end points + models to :

- authenticate user : login/signup , session expire, o auth 2 based login/signup, multi account login, role based access, forgot password , reset password, otp login , etc

- authorise user : jwt token authentication, ip whitelisting, ssl pinning , cors, certificate based authentication , etc (

- manage user : update user profile, delete user, map services , subscriptions and transactions to user , dynamic meta properties ( which can be added/removed for a single user and not exactly part of main user profile) , etc

followed by deployment and the assoc concepts involved : deployment, clusters, load balancers, sharding ,... etc

----

these are all the buzzwords that i have heard that goes into consideration when designing a secure authentication system for a particular large scale website like linkedin or youtube. am not even sure how many of these concepts would require actual codelines and how many would require something else.

so wanted inspiration from open source content to learn about it in depth, replicate and create new better stuff if possible .

apart from that, other backend architectures like video/images storage system, or just some server for movie, social media, blog website etc would also help.