Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Security Introduction to Data Security Concerns Hashing

Posted by Philip Choudhury
Philip Choudhury
Courses Plus Student 2,584 Points

I think he is wrong at this point.

The data is being stored against username in database table.

1 Answer

Jennifer Nordell
seal-mask
STAFF
.a{fill-rule:evenodd;}techdegree
Jennifer Nordell
Treehouse Teacher
Jennifer Nordell
.a{fill-rule:evenodd;}techdegree
Jennifer Nordell
Treehouse Teacher

Hi there! I received your request for assistance. Unfortunately, I cannot find anywhere in specific where he says that any data is not being stored in a database. I feel like you might be misinterpreting what he's saying here. We have a username and a password. The password can be (but absolutely should not be) stored in the database as plain text. It should be hashed and salted and the result of that would be stored in the database. Then when the user tries to log in it takes the password they type in and hashes and salts it. The result of that needs to match what is stored in the database, which again, is the result of the hashed and salted password, but not the password in plain text.

Hope this helps! :sparkles:

Philip Choudhury
Philip Choudhury
Courses Plus Student 2,584 Points

Hey, thanks for replying. I mean to say that in this video, it is mentioned that the program will check for the matching sum value of hashed pass from the list of hashed passwords (all combined) but as far as I'm aware this action (searching one thing from the list) is being done to the username instead of pass and then newly provided hashed pass will be matched with the actual hashed pass stored against that specific username.

Jennifer Nordell
seal-mask
.a{fill-rule:evenodd;}techdegree
Jennifer Nordell
Treehouse Teacher
Jennifer Nordell
.a{fill-rule:evenodd;}techdegree
Jennifer Nordell
Treehouse Teacher

Hi there! You and I both clearly have some experience with databases and so we understand that it is looking up the username and then comparing the hashed password with the hash stored on the database. However, this is an introductory course designed for beginners. I think the confusion here is not in the wording, but rather the graphics/animations shown.

Take a look at what is actually said:

Take passwords for example. As a service like Amazon or Twitter, I should never know what your password is. I should take it, hash it, and store that hash in my database. Then when you want to log in, I take the password you give me, hash it the same way and compare the resulting hash to what I have stored in the database.

And this part of it is accurate. On the right side is shown a list of fake hashes. What is not shown is the part where we search the database for the username given to us. I could be wrong, but I feel like this might have been done for the sake of simplicity.

The only inaccuracy I've found so far is the attribution of the first SHA-1 collision to Adobe instead of Google as documented here.