Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

User Authentication With Express and Mongo

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

Hashing and Salting

2:53 with Dave McFarland and Jonathan Foster

Learn how to keep passwords secret. You learn how to use BCrypt, a hashing algorithm that converts a password to a fixed length, string of characters. Hashing lets you store a password in a database so that, even if the database is accessed, hackers won't be able to figure out the real password and log into your site.

New Terms

  • Hashing — using a function which takes some piece of information and return a hash that represents that information
  • Salt — randomly generated string that is concatenated with a password

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    Let's take a break from writing code and 0:00
    talk about how we can make our application more secure. 0:02
    In the last video you saw that our application stored the user's password 0:06
    in plain text within the database. 0:10
    Anyone who looked into the database could find a user's credentials and 0:12
    login as them. 0:16
    That's not good. 0:17
    Fortunately, there's a way to protect sensitive data like a password, 0:19
    when you store it in a database. 0:22
    You basically jumble the plaintext password using a process called hashing. 0:24
    Cryptographic hash functions take a piece of information and return a string, 0:29
    called the hash, that represents that information. 0:34
    There are many different hash functions, but most take a string of any length and 0:37
    produce what looks like a random mix of numbers and letters. 0:41
    No matter the length of the input, the resulting hash is always the same length. 0:45
    The exact cryptographic function determines the length of the hash. 0:50
    In our app the hash values will always be 60 characters long. 0:54
    When users login to a site, they enter their plain text password. 0:59
    The web application runs the plain text through a hash function and 1:03
    compares the output to the hash stored in the database. 1:07
    If they match then the user is authenticated and logged in. 1:11
    Hashing is a one way process. 1:15
    That is, you can't unhash or decrypt a hash value. 1:18
    For passwords, that's ideal. 1:21
    If someone gains access to the database, they'll only find the password hash value. 1:23
    Typing the hash value in the login form won't do anything. 1:29
    And it's not easy to unhash or 1:32
    figure out the password, even if you have the hashed password from the database. 1:34
    However, with enough effort and 1:40
    computer power, even hash values aren't completely secure. 1:42
    Someone can reverse engineer a hash to get to the original password. 1:45
    So, to add more security, 1:50
    we can use something called a salt to randomize the hash value. 1:51
    Now it's not the salt you sprinkle on your French fries. 1:55
    Salt in cryptography refers to random data that you include with the input for 1:58
    your hash function. 2:02
    A salt should be randomly generated for each password. 2:04
    The salt is concatenated or added to the password and 2:07
    then processed by whichever cryptographic hash function you're using. 2:10
    The output of that function is stored in the database as well as the salt itself. 2:15
    For hashing passwords in this project, we'll be using the Bcrypt node package. 2:19
    As noted on the project's website Bcrypt is a cross-platform encryption utility. 2:24
    It's a popular option with the nodeJS community when hashing user passwords. 2:30
    We should always keep our users data safe and secure. 2:35
    Hashing passwords and 2:39
    using a salt are very important when developing an authentication system. 2:40
    In the next video, we'll move forward with utilizing Bcrypt. 2:45
    We'll also add methods to our user model to create the hash value we'll store in 2:48
    the database. 2:52

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up