AWS Cloud Developer:Full-Stack -Security and Auth Flashcards
Difference between Authorization and Authentication
Authentication: Who is asking?
Authorization: Can they ask?
How should passwords be stored?
Passwords should never be stored.
Data in transit should always be encrypted using …
ssl or tsl
What kind of encryption should be used to encrypt passwords?
One Way Hash
With OWH, the server compares hashes not passwords
Reversible encryption algorithms allow anyone with the key to decrypt a password
One way hashing algorithms
bcrypt
scrypt
SHA-1
MD5
What is one way of defeating a One Way Hashing algorithms, and how can we make it more secure?
Rainbow tables
This can be prevented by using Salts
What are Salts?
A random string added to the beginning of a password before it is passed through a One Way Hashing Algorithm. This is to ensure that the same password never outputs the same hash string, making it difficult to decrypt using rainbow tables
What is the gold standard for storing passwords?
As salted, hashed strings using bcrypt
Bcrypt salt rounds
the password is passed through the salted hashing function, and the output is again passed through the hashing function in a loop. The more times we iterate on the hashing function, the more we can guard against brute force attacks that try to guess the password. The salt rounds decide how many times to go through this loop. Settings salt rounds to 10 means we iterate on this hashing function 2^10 times.
How to avoid having to having to provide user password with every request?
Session ids stored on user’s browser, which are then provided in Request headers
