alt Hacker NewsWhat? No!
There are plethora of mistakes one can make in implementing AuthN/AuthZ, and many of them almost immediately will lead to either the direct leak of PII or can form the start of a chain of exploits.
Storing password hashes in an inappropriate manner -> BOOM, all your user's passwords are reversible and can be used on other websites
Not validating a nonce correctly -> BOOM, your user's auth tokens can be re-used/hijacked
Not validating a session timestamps correctly -> BOOM, your outdated tokens can be used to gain the users PII
Replies
With 5M you can get white hat audits. Even big boys like Okta have had serious fuckups [1].
[1] https://trust.okta.com/security-advisories/okta-ad-ldap-dele...
> Storing password hashes in an inappropriate manner
The problem isn't how you store the hash it's how you generate the hash.
So it’s a bad idea, but somehow a guy in Ethiopia writes his own auth and builds a whole company around it and gets $5 million?