Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
Learn how to keep passwords secret. You learn how to use BCrypt, a hashing algorithm that converts a password to a fixed length, string of characters. Hashing lets you store a password in a database so that, even if the database is accessed, hackers won't be able to figure out the real password and log into your site.
New Terms
- Hashing — using a function which takes some piece of information and return a hash that represents that information
- Salt — randomly generated string that is concatenated with a password
Let's take a break from writing code and
0:00
talk about how we can make
our application more secure.
0:02
In the last video you saw that our
application stored the user's password
0:06
in plain text within the database.
0:10
Anyone who looked into the database
could find a user's credentials and
0:12
login as them.
0:16
That's not good.
0:17
Fortunately, there's a way to protect
sensitive data like a password,
0:19
when you store it in a database.
0:22
You basically jumble the plaintext
password using a process called hashing.
0:24
Cryptographic hash functions take a piece
of information and return a string,
0:29
called the hash,
that represents that information.
0:34
There are many different hash functions,
but most take a string of any length and
0:37
produce what looks like a random
mix of numbers and letters.
0:41
No matter the length of the input, the
resulting hash is always the same length.
0:45
The exact cryptographic function
determines the length of the hash.
0:50
In our app the hash values will
always be 60 characters long.
0:54
When users login to a site,
they enter their plain text password.
0:59
The web application runs the plain
text through a hash function and
1:03
compares the output to the hash
stored in the database.
1:07
If they match then the user is
authenticated and logged in.
1:11
Hashing is a one way process.
1:15
That is, you can't unhash or
decrypt a hash value.
1:18
For passwords, that's ideal.
1:21
If someone gains access to the database,
they'll only find the password hash value.
1:23
Typing the hash value in
the login form won't do anything.
1:29
And it's not easy to unhash or
1:32
figure out the password, even if you have
the hashed password from the database.
1:34
However, with enough effort and
1:40
computer power,
even hash values aren't completely secure.
1:42
Someone can reverse engineer a hash
to get to the original password.
1:45
So, to add more security,
1:50
we can use something called a salt
to randomize the hash value.
1:51
Now it's not the salt you
sprinkle on your French fries.
1:55
Salt in cryptography refers to random
data that you include with the input for
1:58
your hash function.
2:02
A salt should be randomly generated for
each password.
2:04
The salt is concatenated or
added to the password and
2:07
then processed by whichever cryptographic
hash function you're using.
2:10
The output of that function is stored in
the database as well as the salt itself.
2:15
For hashing passwords in this project,
we'll be using the Bcrypt node package.
2:19
As noted on the project's website Bcrypt
is a cross-platform encryption utility.
2:24
It's a popular option with the nodeJS
community when hashing user passwords.
2:30
We should always keep our
users data safe and secure.
2:35
Hashing passwords and
2:39
using a salt are very important when
developing an authentication system.
2:40
In the next video,
we'll move forward with utilizing Bcrypt.
2:45
We'll also add methods to our user model
to create the hash value we'll store in
2:48
the database.
2:52
You need to sign up for Treehouse in order to download course files.
Sign up