Programming with Brighid – Software Lessons

Okay it’s time for software lessons with Brighid and today it’s about authentication or “why you can’t edit your award recommendation submissions anymore.” This is a question we get a lot.

Disclaimer: I am by no means a security expert and have only completed enough training on this to be frightened by it. I am only attempting to share that fear with all of you and am not giving advice. Don’t take my advice. I’m a novice at this.

Carrying on.

So authentication is basically your login process. Making sure you are who you say you are. We do this all the time, it looks simple, username and password right?

Dear god it is not simple. You have to worry about password encryption and not just any old encryption will do, because some of them have been broken by now. You have to worry about the weirdest things that might be an attack vector – for example, it takes 1 millisecond to check a username but 5 milliseconds to check a password. If you return an “invalid username or password” message in 6 milliseconds instead of 1 millisecond, an attacker know the username is at least correct and have half of the credentials they need. So you fake out the full length of time even if you know the username is wrong. Does that sound crazy? It is crazy. This is the crazy bullshit we have to worry about.

The industry best practice when it comes to building your own authentication system is DON’T. Use procedures and tools that already exist.

The Peerages Portal and the Arts and Sciences Portal get away with doing authentication because we use something called Devise, which is an open source authentication system built on layers and layers of expertise. It’s used to protect your healthcare information. It’s used to protect your financial information. The volunteers that wrote our portals didn’t write authentication. We used the work of people with very deep knowledge in this field to do the dangerous work for us.

But that takes a programmer to do. I work professionally with Ruby, which is what those portals and Devise are built in, but I also officially out of free time at this point, and writing an app or starting up a server is never a one-and-done kind of thing and I’ll go into why that is some other day. We need tools that are maintainable by a low level of volunteer time and by people who aren’t programmers.

Storing authentication data is also risky. I took a couple of security classes while working at my last job and one of the important lessons was the safest data is the data you don’t store. Basically, if you don’t need it, don’t have it around in case you get hacked and lose it all. As for what people can do with password data once they have it, here’s one example. Remember how I said earlier that some encryption has been broken? Look up the term “rainbow table” if you want to know more – but the gist, is if you’re a bad person and get your hands on people’s encrypted password, if it wasn’t encrypted correctly, you can just… reverse look it up and find out what their password is. Then since a lot of people reuse passwords, instead of trying to login to the Midrealm systems (because honestly who outside of our organization cares how many times I submitted my dog for an award) they’ll go try to login to things like… your bank account.

Anyway, please don’t reuse passwords, there are password managers to help with this problem. (I lied earlier, this IS advice, please take it) I personally use LastPass but figure out what works for you.

Okay so username/password data requires special skillsets to implement and is risky to keep around. But why do we need authentication for editing award recommendations?

Authentication is how we know you are who you say you are and more importantly for award recommendations, it’s how we would know who “owns” what award recommendation. When I built the Arts and Sciences Portal, I put a check in front of everything that accesses a chunk of data that confirms the person requesting it has the authority to access it. It basically says “are you an admin or do you ‘own’ this entry?” and if the answer is “yes”, then you’re granted access to it. Otherwise, you get denied.

This works because the system keeps track of ownership. We can define relationships between pieces of data in our system. So we have the concept of a “user” and the concept of an “entry” and then we define a relationship that says entries can be owned by users. When we enter an entry into our system, we add a little piece of data to it that indicates what user it belongs to. Basically, when you submit a digital entry, we digitally slap your name on it. Then we know who is and isn’t allowed access to that entry by checking who is logged in against who owns the entry. That’s part of what authentication does.

The award recommendations would need to function the same way if people were to be able to go back and edit them. If you put in an award, you wouldn’t want me to be able to go in and change it, right? And without authentication, the system doesn’t know any better and it’d be an ugly free-for-all. Because for award editing to work, every award you submit would have to be associated with a user and once we have users… we need them to be able to login… and we have authentication.

So that’s really the gist of it. Authentication is dangerous and difficult and while there are things out there to help with it, custom coded solutions severely limit the number of volunteers that can actually help with it. But ‘fire and forget’ type form submissions? Oh those are EASY and don’t require programmers to build with the tools we’ve got available. The awards recommendation is a form now, and if you’ve ever worked with Google Forms, you’ll know that those are drag and drop tools that don’t require a single line of code. Our awards recommendation form is basically the same thing. It saves off the entry into a database but also shoots a copy over to a Google spreadsheet and Google manages access to that so Their Royal Majesties can get to it.

Basically, we’re simplifying the system and either discarding or handing off the stuff that is dangerous/difficult to entities that are way more qualified for it.

Let me know if you want to hear a specific question answered or next time I’ll talk about the Arts and Sciences Portal and what goes into building and maintaining something like that.


Leave a Comment

Your email address will not be published. Required fields are marked *