9 Comments
May 6, 2022Liked by Alex Xu

Thanks for writing this article. The content is easy to read and is very valuable. I have a comment on the password storage part. While the use of hashing is conceptionally correct, there are different kinds of hashing algorithms and most people would assume the simplest one (e.g. SHAS256). The practical one that is suitable for password hashing is discussed in https://en.wikipedia.org/wiki/Cryptographic_hash_function#Password_verification, which includes PBKDF2, scrypt and Argon2.

Expand full comment

I really like the way HTTP vs HTTPS are described, in eay language, please do post negative scenarios or in which cases HTTPS is must or cases where HTTP outperform HTTPS

Expand full comment

Thanks for writing this article about HTTPS,

I just would like to provide a bit of clarification on the key exchange algorithm.

The key exchange algorithm that you described is called RSA and one of the possible options for generating a session key.

A more secure algorithm is called Diffie Hellman.

This algorithm avoid sending the session key over the wire and so it doesn't strictly need the public key contained in the server certificate.

In this case the server certificate is still necessary to verify the authenticity of the server the client is communicating to.

The two different options for RSA and Diffie Hellman are described at https://en.wikipedia.org/wiki/Transport_Layer_Security.

More info about Diffie Hellman at https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange.

Expand full comment

Hey Alex, Thank you for the information.

I have a question: if the session key generated on the client side is stolen by the hacker, wouldn't the hacker be able to decrypt the information just like what they could with public key if there is no session key? why is session key safer than public key?

Expand full comment

The cipher may change over time, do you recommend migrating the passwords or making the design backward compatible

Expand full comment

Note, you can also mention secure coding. How would you go about actually implementing the salt in the backend of a database

Expand full comment

Thanks for writing this article. Actually have a very simple question for step 2 of "validating password" process. How system fetch the corresponding salt of a password ? There might be cases where multiple salts corresponding to one single password right (multiple user having the same password), how does the system determine the right salt.

Expand full comment