Securing passwords is the most crucial thing when it comes to web security since if your passwords are compromised your information will be at risk.
So man in the middle attack is quite often when it comes to web security and especially while dealing with passwords between a client and the server. This attack is basically before a request reaches the server someone can spoof in between and steal the information and later uses it to replay the action and thus getting access to the victim's sensitive information.
Let's talk about how passwords are compromised.
- Assume if you are storing the passwords in plain texts in your database and if the attacker gets the password from the request before it reaches the server he can replay the actions since the passwords were plain texts.
- If you encrypt it on client side the attacker can read the hashing algorithm on the client since everything in JavaScript can be exposed.
- If you use some kind of salt to create hashes and again send that hashes along with the request the attacker can spoof the salt as well and again your password can be compromised.
There are different strategies around secure authentication.
- Hasing with Salts
- 2FA
Let's take an example of a login page. With this technique whenever a user requests a login page servers can create a unique identifier a.k.a salt and then send that along with the page. This can be appended anywhere for example in <head><script>const salt=12321312321312312</script></head> and now when the form get's submitted the password should be encrypted along with this salt and create a hash out of it and send the hashed password over the wire without any salt or anything. Since the server knows the identity of the client and the salt it can store the hashed password and the salt(this was already known by the server since server only sent this). The problem with this approach is that the unique identifiers created by servers now has to be session based or something by which a server knows the identity of the requests. But we are moving away from the session based mechanisms to the direction of token based authentication so that our servers are stateless.
This appraoch is being widely adopted and proved to be a better way of authentication. As the name itslef suggests it considers 2 factors for authentication. For example a user is trying to log in from their laptop so laptop becomes one factor and their mobile could become second factor. So now even if one factor is compromised the chances are very rare the other factor is also compromised(unless you're kdinapped or the attacker has access to all your devices 😛). This helps user to be aware that the activity for logging in to an account is being initiated by them only. Some of the examples are OTP, showing a notification on a user's mobile and asking them to confirm from there, use some authenticator apps which are linked to the user's account to generate dynamic security code everytime.