|
|
|
|
|
|
by sneak
2353 days ago
|
|
|
My understanding is that most people roll their own (for the minority case of users not logging in via Google or Facebook identity). This is why, for example, most sites will confirm/deny the existence of an account for a given email (provided by an attacker) during password reset flow. There simply aren’t great prepackaged solutions for the part beyond “hash it and put it in the db”. This is also why sites that do 2FA frequently fall prey to the “steal the SIM and you can reset the password with no other factor” attack so commonly. |
|
|