Personally, as a user I do not want to authenticat...
# server
j
Personally, as a user I do not want to authenticate through a third-party and give access to my personal informations. I always use an email/password combo and store everything in a password manager. Also, if one account is hacked, my other accounts are safe. Please, give your users a choice (unless its an enterprise, then some restrictions may apply of course). About your question @martmists, check OWASP's cheatsheet about password storage:
This cheat sheet provides guidance on the various areas that need to be considered related to storing passwords. In short:
• Use Argon2id with a minimum configuration of 15 MiB of memory, an iteration count of 2, and 1 degree of parallelism.
• If Argon2id is not available, use bcrypt with a work factor of 10 or more and with a password limit of 72 bytes.
• For legacy systems using scrypt, use a minimum CPU/memory cost parameter of (2^16), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.
• If FIPS-140 compliance is required, use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256.
• Consider using a pepper to provide additional defense in depth (though alone, it provides no additional secure characteristics).
👍 3
🧵 2
sorry for the non-thread message, I will use threads next time 🙂
☝️ 1