Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

JavaScript User Authentication With Express and Mongo User Registration Hashing and Salting

Remi Vledder
Remi Vledder
14,144 Points

If someone has your hashed password, can they access your account?

In the video the process of hashing and salt is explained.

It's explained that hashing is a one-way process and its goal is to verify that a piece of data hasn't been altered.

So what happens in the form subscription, is that the password is hashed and then send to the database. Then, each time the user logs in, the password filled in on the login form is also hashed and then that hash is compared to the existing hash in the database.

Pretty silly question, but: Does someone with that hash always have access to your account?

i.e. Is it possible for someone with access to the database to use that hash and login on the front-end using the same form page to login? (or an alteration of the form page in that manner)

But also: if the database is hacked, would it then mean that the hacker would have immediate access with that hash to your account as well?

Or is there some sort of security that you cannot do a POST request to the server with a (pre-)hashed input?

2 Answers

Jesus Mendoza
Jesus Mendoza
23,275 Points

Hey Rami.

That's the sole purpose of hashing your passwords, to protect them.

Typically when you hash a password you use a secret phrase somewhere safe, a salt which are some random bits and the plain password, to create a complex hash. If someone hacked your database and gained access to all the hashed passwords, they would still need to know the secret phrase and the random bits used to hash the password to decode them and gain access.

Remi Vledder
Remi Vledder
14,144 Points

Thanks for your reply (and patience).

Decoding is never done in hashes right? That is something that is done in encrypting and decrypting. Where encrypting is more about protecting data in transit, and hashing is done to verify it hasn't been altered.

Since the salt and plain password make up the hash, why is it necessary for the hacker to also know the random bits once they already have the hash? (hacker sends hash via login form === database hash)

Remi Vledder
Remi Vledder
14,144 Points

I guess hashing and salting is more that the password is unique to your website?

So if a hacker get's access to your site's database, they will only have the single (hashed AND 'salted') instance of a users password. And will be able to login on the site. But they won't have the un-hashed' password that the user might also use on other sites.