Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.
Start a free Basic trial
to watch this video
Learn how to keep passwords secret. You learn how to use BCrypt, a hashing algorithm that converts a password to a fixed length, string of characters. Hashing lets you store a password in a database so that, even if the database is accessed, hackers won't be able to figure out the real password and log into your site.
New Terms
- Hashing — using a function which takes some piece of information and return a hash that represents that information
- Salt — randomly generated string that is concatenated with a password
-
0:00
Let's take a break from writing code and
-
0:02
talk about how we can make our application more secure.
-
0:06
In the last video you saw that our application stored the user's password
-
0:10
in plain text within the database.
-
0:12
Anyone who looked into the database could find a user's credentials and
-
0:16
login as them.
-
0:17
That's not good.
-
0:19
Fortunately, there's a way to protect sensitive data like a password,
-
0:22
when you store it in a database.
-
0:24
You basically jumble the plaintext password using a process called hashing.
-
0:29
Cryptographic hash functions take a piece of information and return a string,
-
0:34
called the hash, that represents that information.
-
0:37
There are many different hash functions, but most take a string of any length and
-
0:41
produce what looks like a random mix of numbers and letters.
-
0:45
No matter the length of the input, the resulting hash is always the same length.
-
0:50
The exact cryptographic function determines the length of the hash.
-
0:54
In our app the hash values will always be 60 characters long.
-
0:59
When users login to a site, they enter their plain text password.
-
1:03
The web application runs the plain text through a hash function and
-
1:07
compares the output to the hash stored in the database.
-
1:11
If they match then the user is authenticated and logged in.
-
1:15
Hashing is a one way process.
-
1:18
That is, you can't unhash or decrypt a hash value.
-
1:21
For passwords, that's ideal.
-
1:23
If someone gains access to the database, they'll only find the password hash value.
-
1:29
Typing the hash value in the login form won't do anything.
-
1:32
And it's not easy to unhash or
-
1:34
figure out the password, even if you have the hashed password from the database.
-
1:40
However, with enough effort and
-
1:42
computer power, even hash values aren't completely secure.
-
1:45
Someone can reverse engineer a hash to get to the original password.
-
1:50
So, to add more security,
-
1:51
we can use something called a salt to randomize the hash value.
-
1:55
Now it's not the salt you sprinkle on your French fries.
-
1:58
Salt in cryptography refers to random data that you include with the input for
-
2:02
your hash function.
-
2:04
A salt should be randomly generated for each password.
-
2:07
The salt is concatenated or added to the password and
-
2:10
then processed by whichever cryptographic hash function you're using.
-
2:15
The output of that function is stored in the database as well as the salt itself.
-
2:19
For hashing passwords in this project, we'll be using the Bcrypt node package.
-
2:24
As noted on the project's website Bcrypt is a cross-platform encryption utility.
-
2:30
It's a popular option with the nodeJS community when hashing user passwords.
-
2:35
We should always keep our users data safe and secure.
-
2:39
Hashing passwords and
-
2:40
using a salt are very important when developing an authentication system.
-
2:45
In the next video, we'll move forward with utilizing Bcrypt.
-
2:48
We'll also add methods to our user model to create the hash value we'll store in
-
2:52
the database.
You need to sign up for Treehouse in order to download course files.
Sign up