**Sven Slootweg** @joepie91@pixie.town · Nov 04, 2024, 11:59

**Sven Slootweg** @joepie91@pixie.town · Nov 04, 2024, 11:59

Sven Slootweg @joepie91@pixie.town

Nov 04, 2024, 11:59

okta vulnerability, grumbling about security

Another year, another critical vulnerability in Okta's infrastructure - an authentication bypass for users with long usernames, this time.

They ran up against bcrypt's input limit. You know, exactly the kind of footgun that causes people to recommend "don't try to roll your own authentication, outsource it to experts". Like... Okta. Who used bcrypt. And did it wrong.

I would really like for people to stop recommending external authentication providers. It's not actually *that* hard to implement authentication correctly for the vast majority of cases, if you take some time to read up on how to do it. Outsourcing isn't the answer here.

**Riley S. Faelan** @riley@toot.cat · Nov 04, 2024, 12:00

**Riley S. Faelan** @riley@toot.cat · Nov 04, 2024, 12:00

Nov 04, 2024, 12:00

Riley S. Faelan @riley@toot.cat

re: okta vulnerability, grumbling about security

@joepie91 Who told you Okta are experts?

Ever since they arrived on the scene, they have been doing crypto exactly like an amateur would.

**Sven Slootweg** @joepie91@pixie.town · 2024-11-04T12:18:30Z

Sven Slootweg @joepie91@pixie.town

re: okta vulnerability, grumbling about security

@riley I mean, this is true for basically every auth company I've seen, they're all snake oil, just some hide it better than others. But that hasn't stopped them from building an 'experts' reputation in the tech world.

Nov 04, 2024, 12:18 · · Web · · ·

**Riley S. Faelan** @riley@toot.cat · Nov 04, 2024, 13:41

**Riley S. Faelan** @riley@toot.cat · Nov 04, 2024, 13:41

Nov 04, 2024, 13:41

Riley S. Faelan @riley@toot.cat

re: okta vulnerability, grumbling about security

@joepie91 Yep. They're all hustlers, no hackers.

Resources

Developers

What is Mastodon?

pixie.town

More…