Learn how to keep passwords secret. You learn how to use BCrypt, a hashing algorithm that converts a password to a fixed length, string of characters. Hashing lets you store a password in a database so that, even if the database is accessed, hackers won't be able to figure out the real password and log into your site.
- Hashing — using a function which takes some piece of information and return a hash that represents that information
- Salt — randomly generated string that is concatenated with a password
Let's take a break from writing code and 0:00 talk about how we can make our application more secure. 0:02 In the last video you saw that our application stored the user's password 0:06 in plain text within the database. 0:10 Anyone who looked into the database could find a user's credentials and 0:12 login as them. 0:16 That's not good. 0:17 Fortunately, there's a way to protect sensitive data like a password, 0:19 when you store it in a database. 0:22 You basically jumble the plaintext password using a process called hashing. 0:24 Cryptographic hash functions take a piece of information and return a string, 0:29 called the hash, that represents that information. 0:34 There are many different hash functions, but most take a string of any length and 0:37 produce what looks like a random mix of numbers and letters. 0:41 No matter the length of the input, the resulting hash is always the same length. 0:45 The exact cryptographic function determines the length of the hash. 0:50 In our app the hash values will always be 60 characters long. 0:54 When users login to a site, they enter their plain text password. 0:59 The web application runs the plain text through a hash function and 1:03 compares the output to the hash stored in the database. 1:07 If they match then the user is authenticated and logged in. 1:11 Hashing is a one way process. 1:15 That is, you can't unhash or decrypt a hash value. 1:18 For passwords, that's ideal. 1:21 If someone gains access to the database, they'll only find the password hash value. 1:23 Typing the hash value in the login form won't do anything. 1:29 And it's not easy to unhash or 1:32 figure out the password, even if you have the hashed password from the database. 1:34 However, with enough effort and 1:40 computer power, even hash values aren't completely secure. 1:42 Someone can reverse engineer a hash to get to the original password. 1:45 So, to add more security, 1:50 we can use something called a salt to randomize the hash value. 1:51 Now it's not the salt you sprinkle on your French fries. 1:55 Salt in cryptography refers to random data that you include with the input for 1:58 your hash function. 2:02 A salt should be randomly generated for each password. 2:04 The salt is concatenated or added to the password and 2:07 then processed by whichever cryptographic hash function you're using. 2:10 The output of that function is stored in the database as well as the salt itself. 2:15 For hashing passwords in this project, we'll be using the Bcrypt node package. 2:19 As noted on the project's website Bcrypt is a cross-platform encryption utility. 2:24 It's a popular option with the nodeJS community when hashing user passwords. 2:30 We should always keep our users data safe and secure. 2:35 Hashing passwords and 2:39 using a salt are very important when developing an authentication system. 2:40 In the next video, we'll move forward with utilizing Bcrypt. 2:45 We'll also add methods to our user model to create the hash value we'll store in 2:48 the database. 2:52
You need to sign up for Treehouse in order to download course files.Sign up