Security is hard indeed. In this article, I’ll try to explain more about security and how it’s a costly feature that somehow the cost is not visible to stakeholders and why there are still “security insufficient” websites. We’ll start with the most common process in every websites, user login, which I have been tinkering and dug deeper lately.
Storing the password
There are many ways to store user registered password in database. The most easy one is to store in plain text, which if I discovered and if I can, I’ll find you and I will beat you up. Nowadays it is unacceptable to keep password in plain text at all, on any storage, except only sending the newly-generated reset password to email. Though it cost nothing, it is very risky and vulnerable to adapt.
Store the hashed
md5 password is a higher level security than plain text. Then everytime a user login,
md5 hash the input password and compare the hashed with existing one in database.
md5 hash costs very little CPU power nowadays. However this practice is vulnerable to rainbow table attack.
Which is why
salt, a random generated string is added to password to prevent it (I won’t explain the implementation here).
salt, together with
md5hashing is in my opinion the most minimal security to use to store password. Though because it costs very little CPU power, an attacker with strong enough computer is still possible to brute-force or rainbow table attack it.
Which is why nowadays
bcrypt (or the newer
argon2) hash is more preferred. I use the older and much simpler
bcrypt. It has built-in salt (so you don’t need to manage it yourself) and has cost-factor so you can easily increase or decrease it’s processing cost related to your / nowadays processing power. Of course the security impact is it’s increasing processing cost, which is costly for you, but even more to the attacker.
Login session and cookies
After password storing which costs processing power, we now need to handle
cookies and the infamous “remember me” feature. I find it more complicated than just storing the token in
database and store it in cookies and pass it for every requests. See this stackoverflow answer and this referenced article for implementation detail about it (it’s too long and out of topic here).
In short, it is very complicated and costs some resources like memory (redis), bandwidth (for passing cookies) and processing power (to verify login session for every request). Fortunately, those costs are negligible nowadays and good framework has handled most of those process so you only need little configuration. So it is another reason to use framework.
Some other security costs
- OS / libraries / apps security patches costs some processing power and (possible) memory. Most recent example are performance drop for spectre / meltdown CPU patch.
- Antivirus really costs processing power.
- Two factor authentication costs infrastructure, network bandwidth and casual user experience.
- Captcha costs network bandwidth and user experience.
- Asymmetric crypthography need some setup before using, and not effective to use for fast, anywhere access.
- Sql injection, xss, csrf, mitm attack prevention need good developer experience and infrastructure knowledge, as well as some bandwidth and processing power.
The upside and the worst cost
The upside are there are so many info, books and sources to learn about security, how to develop and use some security measurement and where / when to use it. Moreover the bandwidth / processing power / memory costs for majority of security measurement are negligible. At worst, maybe around 10% hardware performance upgrade (not counting business growth) every 5 years are required to satisfy security measurement.
However the worst cost that comes with handling security are developer times. The times are used to research for some security risks, how / what is the best way to handle it and how to really implement those to developed products. QA will be the next party which time will be used to test those implementation. Those times are the worst costs in implementing security measurement.
Security is needed, even though it’s costly, especially at developer and QA times. Though not all required, there are minimal security measurement needed to ensure that at least the system will be safe. Fortunately there are many libraries / framework that already handle those measurement for you, that it can cut times to implement it and tested.