

Ask YC: How do you handle security? - bcater

I have a site with the usual username/password login hooked to a MySQL backend. What's the best way to handle signup (sending the username/password) and logging in (same)? In particular, can you avoid using a POST and sending text parameters?
======
jsjenkins168
Consult this PDF:

<http://pdos.csail.mit.edu/papers/webauth:tr.pdf>

In general, dont ever send passwords over an unencrypted channel. People reuse
passwords. The credentials they are using for your site could be the same for
their bank.

Oh, and make sure to hash the passwords in your database. BCrypt is good for
this task. Best not to try rolling your own methods (as has been pointed out
here on YC news before).

------
chengmi
SSL.

------
tlrobinson
Carefully.

