okta vulnerability, grumbling about security
Another year, another critical vulnerability in Okta's infrastructure - an authentication bypass for users with long usernames, this time.
They ran up against bcrypt's input limit. You know, exactly the kind of footgun that causes people to recommend "don't try to roll your own authentication, outsource it to experts". Like... Okta. Who used bcrypt. And did it wrong.
I would really like for people to stop recommending external authentication providers. It's not actually *that* hard to implement authentication correctly for the vast majority of cases, if you take some time to read up on how to do it. Outsourcing isn't the answer here.
okta vulnerability, grumbling about security (2)
I will give Okta a tiny bit of credit for having used a cryptographic hash for their cache, which is something that many people get wrong. But that doesn't really help you if you then use the *wrong* cryptographic hash...
