←back to thread

Better Auth, by a self-taught Ethiopian dev, raises $5M from Peak XV, YC

(techcrunch.com)
282 points bundie | 1 comments | 25 Jun 25 18:07 UTC | HN request time: 0s | source
Show context
yodon ◴[25 Jun 25 22:32 UTC] No.44382371[source]
Pretty sure auth is not something I want a self-taught dev (or even most CS-graduate devs) writing.

Oauth2, JWT's, hashes, timestamps, validations, and such, are all totally simple until they're not. The black hats have way more experience and way more time invested in this space than most any normal dev.

replies(8): >>44382542 #>>44382600 #>>44382664 #>>44383532 #>>44383603 #>>44385107 #>>44385540 #>>44459701 #
vmg12 ◴[25 Jun 25 22:53 UTC] No.44382542[source]
Auth is really not difficult to write. It's don't roll your own crypto, not don't roll your own auth. People need to stop spreading this fud.
replies(5): >>44382590 #>>44382617 #>>44383537 #>>44383587 #>>44383602 #
hobofan ◴[25 Jun 25 23:04 UTC] No.44382617[source]
What? No!

There are plethora of mistakes one can make in implementing AuthN/AuthZ, and many of them almost immediately will lead to either the direct leak of PII or can form the start of a chain of exploits.

Storing password hashes in an inappropriate manner -> BOOM, all your user's passwords are reversible and can be used on other websites

Not validating a nonce correctly -> BOOM, your user's auth tokens can be re-used/hijacked

Not validating a session timestamps correctly -> BOOM, your outdated tokens can be used to gain the users PII

replies(4): >>44382637 #>>44382849 #>>44383269 #>>44383288 #
deadbabe ◴[26 Jun 25 01:03 UTC] No.44383288{3}[source]
So it’s a bad idea, but somehow a guy in Ethiopia writes his own auth and builds a whole company around it and gets $5 million?
replies(2): >>44383733 #>>44384516 #
koakuma-chan ◴[26 Jun 25 02:31 UTC] No.44383733{4}[source]
He must be really good at selling lol
replies(1): >>44383961 #
1. 6510 ◴[26 Jun 25 03:33 UTC] No.44383961{5}[source]
Everything in life is hard there.