If I'm creating an authorization service for my application, why can't I just hash the password and save the the username and hashed password in my User table? Why should I use a token authentication service like JWT? I don't think I'm right but I feel like I'm missing something here.
Asked
Active
Viewed 104 times
1 Answers
2
Well, for starters, a token can be expired in a relatively short period of time, forcing a user to re-authenticate. A password is generally has a much longer life. Thus, if a token is stolen by an attacker it is useful for a relatively short period of time (this is one reason that when you have to change a password a good system will force you to enter the current password).
In addition, if you put a hashed password on the client then it can be stolen and used by an attacker in "pass the hash" attacks, which have been around for over twenty years now. It'd be nice to get rid of them :-)
Swashbuckler
- 2,115
- 8
- 9