Hacker News new | past | comments | ask | show | jobs | submit login

  The application may return a different HTTP Error code depending on the authentication attempt response. It may respond with a 200 for a positive result and a *403* for a negative result.
I would say a 401 - Unauthorized with proper WWW-Authenticate header.

403 means forbidden, which apply to when you try to access a resource without permission / authorization

Also, in their Password Storage Cheat Sheet [https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet], they seems to recommend :

    PBKDF2 [*4] when FIPS certification or enterprise support on many platforms is required;
    scrypt [*5] where resisting any/all hardware accelerated attacks is necessary but support isn’t.
    bcrypt where PBKDF2 or scrypt support is not available.
AFAIK, things are not so binary :

* https://news.ycombinator.com/item?id=3724560

* http://security.stackexchange.com/questions/4781/do-any-secu...

* http://security.stackexchange.com/questions/26245/is-bcrypt-...

There are different interpretations of what 401 should be used for. The spec only handles WWW-Authenticate authentication, which is pretty limited and not universally used (Bearer auth is occasionally used for APIs but Basic auth is pretty rare -- especially in end-user-facing parts of the web). The problem is likely that when the status codes were defined nobody thought people would ever need to build their own login forms.

I agree that it is more useful to use 401 to indicate that some form of authentication is required or has failed, and 403 to indicate that you are authenticated but not allowed to access something (which is what the spec emphasizes).

IOW, 403 should be "Unauthorized", 401 should be "Unauthenticated". Sadly the spec mixes those two meanings in various places.

I usually do set WWW-Authenticate to None or WebForm (to prevent browsers to pop-up basic auth dialog).

And I agree with ambiguous spec on those concerns.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact