Most active commenters

    ←back to thread

    Better Auth, by a self-taught Ethiopian dev, raises $5M from Peak XV, YC

    (techcrunch.com)
    282 points bundie | 14 comments | 25 Jun 25 18:07 UTC | HN request time: 1.411s | source | bottom
    Show context
    jtms ◴[26 Jun 25 03:25 UTC] No.44383929[source]
    "Better Auth’s pitch is simple: Let developers implement everything from simple authentication flows to enterprise-grade systems directly on their databases and embed it all on the back end."

    Its absolutely bonkers to me that web development has gotten to a point where this is a novel pitch. Up until not that long ago ALL auth was done directly in your own database and embeded in your own backend. Am I missing something?

    replies(6): >>44384028 #>>44384484 #>>44384540 #>>44384697 #>>44385855 #>>44387250 #
    1. rafram ◴[26 Jun 25 03:49 UTC] No.44384028[source]
    Yeah and it was terrible. Your password would be stored as an unsalted MD5 hash if you were lucky.

    Enterprise customers did the math on what a security breach lawsuit could cost and started demanding verifiably decent security, which meant some off-the-shelf off-premises solution.

    That’s basically where we are now, and it’s the reason that most of Better Auth’s users are early-stage startups — they need to scale quickly, and they don’t have many pesky enterprise/governmental customers who might want to see a certification.

    replies(5): >>44384080 #>>44384145 #>>44384715 #>>44385363 #>>44386648 #
    2. echelon ◴[26 Jun 25 04:00 UTC] No.44384080[source]
    > Yeah and it was terrible. Your password would be stored as an unsalted MD5 hash if you were lucky.

    That's so 2001.

    Bcrypt was in the default PHP libraries in 2013. It's been available in Python even longer.

    This pattern of outsourcing the most basic of application responsibilities is lazy and exposes you to needless fragility and cost burdens.

    There are a million and one libraries and frameworks that will handle all of this for you, meeting industry standards, without having to pay to be coupled at the hip to some SaaS vendor that will undoubtedly raise prices on you when they hit growth pains.

    You're being rented a partial solution to something that has long been solved. And this - your customer relationship - is such a core function to your business that you shouldn't outsource it.

    replies(3): >>44384530 #>>44385048 #>>44385691 #
    3. motorest ◴[26 Jun 25 04:19 UTC] No.44384145[source]
    > Enterprise customers did the math on what a security breach lawsuit could cost and started demanding verifiably decent security, which meant some off-the-shelf off-premises solution.

    Not really. What happened is that some service providers started offering managed services, some of them completely for free and snazzy UIs that became de-facto standards. Developers could onboard onto fully functioning auth services in minutes with barely any development work and no service to manage.

    Why do you think Google's sign-in flows are ubiquitous?

    4. chistev ◴[26 Jun 25 05:49 UTC] No.44384530[source]
    Thanks, I agree.
    5. pipes ◴[26 Jun 25 06:29 UTC] No.44384715[source]
    I called my doctors surgery because I couldn't login into their web bookings site. The receptionist said "I'll check your password" then she "oh it's all funny characters" and I realised she was reading my real password that was generated by my password manager. This was only a few years ago.
    replies(1): >>44385383 #
    6. xorokongo ◴[26 Jun 25 07:26 UTC] No.44385048[source]
    Yeah. Same thing with AI.
    7. nwienert ◴[26 Jun 25 08:27 UTC] No.44385363[source]
    What are you talking about?

    I was 14 learning PHP in 2003 and every tutorial insisted you salt and use a more secure hashing algorithm.

    It’s weird to see people say things so boldly that are so wrong.

    replies(2): >>44386048 #>>44387768 #
    8. motorest ◴[26 Jun 25 08:30 UTC] No.44385383[source]
    The most concerning part about the belief that bootstrappy self-taught hackers are able to tackle any type of problem just as well as experienced engineers with a solid academic background is how the ignore the fact that hacking together an implementation is a very small part of the problem, and actually knowing the problem domain is of critical importance.

    This is why we end up with businesses running services where a receptionist has access to customer passwords. Those who designed the system weren't even in a position to understand why that was a critical flaw in the design, let alone a problem that needed fixing.

    replies(1): >>44386031 #
    9. chamomeal ◴[26 Jun 25 09:34 UTC] No.44385691[source]
    That is a super refreshing take. When I started needing to add auth to apps (~5 years ago) the only advice I could find on auth was essentially “you are an idiot if you don’t use an auth provider”. Back then I was probably only reading r/webdev or something.
    replies(1): >>44386817 #
    10. koakuma-chan ◴[26 Jun 25 10:37 UTC] No.44386031{3}[source]
    That system was probably designed 30 years ago, and small businesses continue to use them. Happened to me as well.
    11. koakuma-chan ◴[26 Jun 25 10:40 UTC] No.44386048[source]
    I unironically smell a conspiracy here.
    12. macNchz ◴[26 Jun 25 12:13 UTC] No.44386648[source]
    I’ve taken early stage apps through a bunch of security review processes and never encountered questions about the specifics of the auth backend, beyond whether it can support the client’s specific SSO requirements.

    These days I tend to favor having auth built-in, via an "old school" web framework that provides an extensible auth system out of the box. Then we’ll extend that system with a managed 3rd party service to handle SAML when that starts to come up in sales conversations, because the setup is annoying and we can lean on the vendor to deal with whatever weird old IdP the client shows up with.

    13. teddyh ◴[26 Jun 25 12:35 UTC] No.44386817{3}[source]
    That last sentence is possibly taken from <https://www.joelonsoftware.com/2001/10/14/in-defense-of-not-...>: “If you have customers, never outsource customer service.”
    14. rafram ◴[26 Jun 25 14:26 UTC] No.44387768[source]
    That's not how I remember it. There was a lot of

      if (md5($_POST['password'])) == password_col) // success!
    floating around in the PHP example code universe.