We found a package we want to use, bcrypt.

But how do we install it?

If you want to follow along you can either install this package on your computer or

you can launch the workspace for this video.

Since NPM is a command line tool, we'll spend most of our time in the console.

If you're working with MPM installed on your own computer, you'll use the command

prompts if you're a Windows user or the terminal application if you're on a Mac.

Let's make some space so we can see what we're doing.

Type npm, and this shows all possible commands that you can use with npm.

There is a command called install.

If you ever want any help on a command, type npm,

the command, and then -h.

As you can see,

there are several different ways to call the install command.

Npm install, npm install with the package name, mpm installed with the package and

git tag or version number, you can install it from another folder.

You can install it from a tarball file.

A tarball is a file former that combines multiple files into a single file.

This could be a file on your local computer or hosted remotely on a server.

Finally, you can install it via the git url or

even just by pointing to the git hook project for a particular git hook user.

You can use the clear command to clear out the console at any point.

We know the name of the package we want, and we want the latest version.

Because we always want the most up to date version of this package,

we don't need to include a version number.

So lets type mpm install bcrypt.

Mpm goes to the mpm online repository of packages.

And it asks for the latest version.

MPM downloads the package and installs it.

Unless there's any issues, which there is in this case.

B crypt depends on a version of python between these two versions.

In workspace, the version of python is 3.4.1.

However, the message, when we tried to install bcrypt,

said that we could use the Python flag.

This is so we can specify another version of Python.

In workspaces we have Python 2 installed as the python2 command.

We can use this with our python flag.

This time it installed successfully.

B crypt itself requires a couple other MPM packages as well, and

it installs them too.

Bindings and nam.

I have no idea what to do, and you don't need to worry about them either.

They're what B crypt needs, and that's good enough for me.

Node-gyp is a node module that helps node compile

other programming languages so it can be used by your node.js Java script code.

You may see something like this from time to time so so

don't get too startled when you see something like this.

Also flags like --python aren't that common either.

A lot of npm packages are just plain JavaScript.

It requires no compiling and no flags.

So where is the package installed?

Npm creates a special folder called node modules.

If we go to the file tree on the left and then right click and go down to refresh,

you'll see the node_modules folder, in the node_modules folder there's

a bcrypt folder and in there it contains all of the code the package requires.

You'll also see the center of the node_modules folder containing bcrypt

dependencies too.

In the upcoming version of npm, npm three,

all dependencies are put in the top level node modules folder.

You rarely need to do anything in these folders.

You may want to look at some of the source code if something is

really plaguing your project, but mostly you'll leave this alone and

let npm handle the contents of this folder.

You've installed the module on your computer or

workspace, but how do you include it in your JavaScript project?

A common usage for

bcrypt is to create secure strings of passwords to store in a database.

Why don't we use bcrypt to encrypt passwords?

We start be creating an @js file.

Let's create a hash for a string of password.

To learn how to use bcrypt we can either go to the packages page on npm,

its GitHub project repository, or if we're without the Internet,

we could look at the read me in the bcrypt folder.

Let's take a look at the recommended usage and copy the example code into our app.js.

Let's replace this string that resembles bacon with our unsecured plain

text password and go over what this does.

We used the required function with the name of the module to include

that module's code in our app.js file.

Notice how we're not including the file path to the bcrypt code.

There's a special file in the bcrypt folder called package.json.

This tells node which files to include when including this module.

In the package.json, there's a key of main and

the path to the file that we want to include.

In this case is the bcrypt.js file.

Then we use one of bcrypt's methods to generate a unique string or

salt, and we use that to generate another unique,

unrecognizable string or hash from the original password string.

Let's log this hash out.

In the command line, when we run node

app.js, We get a unique string,

a hash generated from our password and salt.

This course isn't about encrypting passwords or checking encrypted passwords.

However, if you are feeling adventurous, read the documentation to see how to

check a password against a generated hash like this one.

This is something that you'll want to do frequently.

Storing plain text passwords in a bad idea.

If your database is compromised by a security breach, a hacker can see them and

use the passwords to access email or bank accounts of your users.

Having a password hashed, and

with b crypt in particular, means that hackers have a junk string.

They need to know the password to generate that string.

Each password is generated by a unique salt or random string.

A hacker would need to generate all possible passwords for

each hash in the database to determine each user's password.

This can take an almost infinite amount of time to do.

We've used npm to install a package in our project.

This is known as a local package, meaning it's local to the project.

We've included it in our application, and

we've used other people's programming to generate a hashed password.

Next we'll take a look at how to install a global package.