DEV Community

Discussion on: Maker Story: Password Reset Flow after 5 months

Collapse
 
engineercoding profile image
Wesley Ameling

"I set him a new one manually"

If I read that, I always am afraid that security is breached by not hashing and salting the passwords, please tell me you do that though. Additionally, while I agree it offers more flexibility by using no framework, you do sacrifice the built-in security components in frameworks such as CSRF and session hijacking. Even when you use a framework, you do have to be wary about security. For instance, a lot of frameworks do not throttle requests which could result in brute force attacks and such.

I really like to work with security concepts, so that is why this comment is so security oriented.

Collapse
 
golangch profile image
Stefan Wuthrich

Thanks for your comment Wesley.
Well, my post or way of doing this kind of project is not about sacrificing security needs. I would say, that having a PW Reset Flow does not mean, that things are more secure, with or without a framework. Of course, always having in mind, that eg saving a PW need some hashing and salting, as you 100% correclty said. Don't worry, I never would save a PW without that, manually or implemented. :-)