Hacker News new | past | comments | ask | show | jobs | submit login

I built my latest application using Amazon Cognito for user management. My application and database don't ever know anything about the passwords. Amazon's problem.



Considering OneLogin's current events I'm not sure if this approach is more secure or a good solution. (https://techcrunch.com/2017/06/01/onelogin-admits-recent-bre...)


You have two choices: try and do it on your own, or delegate to someone who you think can do it better. There are risks either way. Considering how much data Amazon has, they probably invest significantly more than you (or OneLogin) on security.


While letting them handle the security options is probably going to result in a more secure system for you, it's certainly not "Amazon's Problem" when your database gets leaked and your user data gets out. For example, you're still going to have to explain to your users that you were compromised, and you're still going to show up in the haveibeenpwned list, not "An AWS Cognito Account".


> Amazon's problem.

Delegate to someone else™ isn't always the answer to your security problems. It only adds more complexity, no more or no less security.


If my options were Amazon or roll my own, using Amazon would both

1) Decrease complexity, and

2) Add more security.

This is supposing I am not a security expert and that Amazon has a good implementation.

Of course, we all have libraries to use etc.

It's still a pretty good option.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: