Ask YC: How do you handle security?

3 points by bcater ↗ HN
I have a site with the usual username/password login hooked to a MySQL backend. What's the best way to handle signup (sending the username/password) and logging in (same)? In particular, can you avoid using a POST and sending text parameters?

3 comments

[ 4.8 ms ] story [ 15.8 ms ] thread
Consult this PDF:

http://pdos.csail.mit.edu/papers/webauth:tr.pdf

In general, dont ever send passwords over an unencrypted channel. People reuse passwords. The credentials they are using for your site could be the same for their bank.

Oh, and make sure to hash the passwords in your database. BCrypt is good for this task. Best not to try rolling your own methods (as has been pointed out here on YC news before).