undefined | Better HN

0 pointssipos4y ago0 comments

This is the DB that contains the usernames and (hashed) passwords right? What do they expect? That you have a separate DB for authentication from everything else? What does that achieve? If you DoS the auth DB, you still DoS the application in this scenario.

0 comments

eurasiantiger4y ago

The application has a much larger attack surface than the auth/user system, so it makes sense to store PII separately.

AlfeG4y ago

Actually yes.

They try to sell us external/internal Auth service, similar to KeyCloack with their support. What pentesters want to achieve is not improved security, but to sell their services as DevOps and developers. This were not what we expected from pentesting.

j / k navigate · click thread line to collapse

0 pointssipos4y ago0 comments

0 comments

eurasiantiger4y ago

The application has a much larger attack surface than the auth/user system, so it makes sense to store PII separately.

AlfeG4y ago

Actually yes.

j / k navigate · click thread line to collapse