Most active commenters
  • hobofan(3)

←back to thread

Better Auth, by a self-taught Ethiopian dev, raises $5M from Peak XV, YC

(techcrunch.com)
282 points bundie | 15 comments | 25 Jun 25 18:07 UTC | HN request time: 0.973s | source | bottom
Show context
yodon ◴[25 Jun 25 22:32 UTC] No.44382371[source]
Pretty sure auth is not something I want a self-taught dev (or even most CS-graduate devs) writing.

Oauth2, JWT's, hashes, timestamps, validations, and such, are all totally simple until they're not. The black hats have way more experience and way more time invested in this space than most any normal dev.

replies(8): >>44382542 #>>44382600 #>>44382664 #>>44383532 #>>44383603 #>>44385107 #>>44385540 #>>44459701 #
vmg12 ◴[25 Jun 25 22:53 UTC] No.44382542[source]
Auth is really not difficult to write. It's don't roll your own crypto, not don't roll your own auth. People need to stop spreading this fud.
replies(5): >>44382590 #>>44382617 #>>44383537 #>>44383587 #>>44383602 #
1. hobofan ◴[25 Jun 25 23:04 UTC] No.44382617[source]
What? No!

There are plethora of mistakes one can make in implementing AuthN/AuthZ, and many of them almost immediately will lead to either the direct leak of PII or can form the start of a chain of exploits.

Storing password hashes in an inappropriate manner -> BOOM, all your user's passwords are reversible and can be used on other websites

Not validating a nonce correctly -> BOOM, your user's auth tokens can be re-used/hijacked

Not validating a session timestamps correctly -> BOOM, your outdated tokens can be used to gain the users PII

replies(4): >>44382637 #>>44382849 #>>44383269 #>>44383288 #
2. vmg12 ◴[25 Jun 25 23:07 UTC] No.44382637[source]
None of those things are difficult to do correctly.
replies(1): >>44382665 #
3. hobofan ◴[25 Jun 25 23:13 UTC] No.44382665[source]
Yeah, one would think so. Evidence in the wild shows otherwise.
replies(1): >>44383604 #
4. programmarchy ◴[25 Jun 25 23:43 UTC] No.44382849[source]
With 5M you can get white hat audits. Even big boys like Okta have had serious fuckups [1].

[1] https://trust.okta.com/security-advisories/okta-ad-ldap-dele...

5. stephenr ◴[26 Jun 25 01:00 UTC] No.44383269[source]
> Storing password hashes in an inappropriate manner

The problem isn't how you store the hash it's how you generate the hash.

replies(2): >>44383633 #>>44383825 #
6. deadbabe ◴[26 Jun 25 01:03 UTC] No.44383288[source]
So it’s a bad idea, but somehow a guy in Ethiopia writes his own auth and builds a whole company around it and gets $5 million?
replies(2): >>44383733 #>>44384516 #
7. gjsman-1000 ◴[26 Jun 25 02:06 UTC] No.44383604{3}[source]
Plenty of evidence in the wild also shows that programmers in general should never be trusted.
8. gjsman-1000 ◴[26 Jun 25 02:13 UTC] No.44383633[source]
The short answer: Bcrypt with 12 rounds.

Good enough for almost any startup in 2025.

replies(1): >>44386072 #
9. koakuma-chan ◴[26 Jun 25 02:31 UTC] No.44383733[source]
He must be really good at selling lol
replies(1): >>44383961 #
10. quacksilver ◴[26 Jun 25 02:54 UTC] No.44383825[source]
Counterexample: Storing the bcrypt hash by appending it to a CSV file containing the usernames and hashes of all users then having a login process where that CSV file is downloaded to the client and the password is verified locally against that CSV file using client-side JavaScript would probably be very bad.

Cryptography part is fine but storage or the auth process isn't.

You would like to think that no-one would write their app that way, but there are plenty of slightly less worse things that happen in practice and vibe coding probably introduces all sorts of new silliness.

11. 6510 ◴[26 Jun 25 03:33 UTC] No.44383961{3}[source]
Everything in life is hard there.
12. hobofan ◴[26 Jun 25 05:47 UTC] No.44384516[source]
I'm not criticizing BetterAuth here, but the idea that rolling your own auth is easy.

BetterAuth is likely an improvement against the status quo for many companies if they have already decided to roll their own auth, as it at least already provides pre-made blocks of functionality that are hopefully battle-hardened rather than building completely from scratch.

replies(2): >>44384704 #>>44386756 #
13. vasco ◴[26 Jun 25 06:26 UTC] No.44384704{3}[source]
An improvement if their own approach would be worse than 'get a single self taught guy to roll something out'. If it's roughly the same it shouldn't be any improvement.
14. Intermernet ◴[26 Jun 25 10:46 UTC] No.44386072{3}[source]
Argon2 with defaults. Stronger and easier.
15. deadbabe ◴[26 Jun 25 12:28 UTC] No.44386756{3}[source]
It’s not easy, but it’s not impossible either.

If you’re just a developer who works on CRUD apps all day or never touches a backend then yea you probably don’t have the skills but auth is a solved problem and you can learn to do it right. A team of engineers can definitely put together an auth system.