🤑 Join the Treehouse affiliate program and earn 25% commission!

🌟 Dreaming of a bright future? 🎓 Ask about the Treehouse Scholarship program! 🚀

A new Figma course has dropped!

🫡 Treehouse for Military offers discounts to Veterans, service members and their families!

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

Implementing Authentication

4:07 with Alena Holligan and Jared Smith

In this video, we will dive into some best practices of implementing your own authentication on the web.

Teacher's Notes
Questions?
Video Transcript
Downloads
Workspaces

New Terms

CAPTCHA and ReCAPTCHA: these are methods/services to verify that a human is the actual one performing an action. When you see fields that make you put the letters in a picture in, or in the case of ReCAPTCHA to select pictures with certain objects, you’re using a CAPTCHA system. CAPTCHAs evolved out of academic research at Carnegie Mellon by Nick Hopper and Manuel Blum.

Practice

Practice Hashing Passwords in JavaScript

Documentation

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

Let's dive into some of the best practices of 0:00

implementing your own authentication on the web. 0:03

Hash passwords, when storing users' passwords, the most important 0:07

think to keep in mind is that you should always hash your passwords. 0:12

Hashing is a one-way process of securing data with a strong algorithm. 0:17

Without getting too much into the cryptography of hashing, essentially, 0:23

as of 2017, you should be using the bcrypt hashing 0:28

algorithm which has implementations in every major language. 0:32

The hash password can never be retrieved in plain text. 0:37

Instead, the entered password is hashed in the same way as the stored password. 0:41

These 2 hashes are then compared to verify a match. 0:48

Due to the way bcrypt works, if anyone compromises your server and 0:53

gets their hands on your hashed passwords, 0:58

it will usually take longer than the lifetime of the known universe 1:01

to reverse the hash, with even the strongest modern super computers. 1:05

Remember, hash your passwords, never encrypt them. 1:10

If someone steals the key that you used to encrypt passwords, 1:14

then you might as well have never encrypted them. 1:18

And managing a cryptographic key in the business logic of 1:21

a web application is a very risky move. 1:25

If you can decrypt a password, then so can someone else. 1:28

Verify email addresses. 1:32

When you do provide your own sign-up mechanism, you should verify the email 1:37

addresses you ask your users to provide, assuming you use that in the process. 1:42

This is one step in preventing malicious users from abusing your service and 1:48

registering mass accounts at once. 1:53

However, this is not an all-in-one protection against login abuse. 1:56

Use CAPTCHAs. 2:01

You should also consider using a CAPTCHA system such as Google's reCAPTCHA 2:03

in order to deter bots from signing up on your site. 2:08

Implement rate limiting. 2:12

Another common practice is to limit the number of login requests from a single IP 2:15

address or client over a period of time. 2:20

For example, if you notice that a single IP 2:24

address has attempted to log in 20 times in the last 5 minutes, 2:27

you should respond with an access denied for a certain amount of time. 2:32

This prevents automated services from either trying to guess your 2:37

users' passwords or creating massive amounts of users at once. 2:41

However, you should be careful when rate limiting by IP as some 2:45

networks proxy many users through the same IP. 2:49

In general, whenever you can rate limit via a known user token, 2:54

that is the preferred method. 2:58

Allow or require 2-factor authentication for users. 3:01

The final security measure you can provide your user 3:06

is the ability to use 2-factor authentication. 3:09

You can do this easily through SDKs and 3:13

libraries available in nearly every language. 3:15

Keep in mind that using SMS for 2-factor authentication is now discouraged 3:19

as attackers can easily spoof phone numbers. 3:24

Because of broken processes, many Internet and 3:28

phone service providers allow anyone with a small amount of personal information 3:31

to get access to a person's text messages. 3:36

Attackers can now get the same text messages you send to a user's phone for 3:39

2-factor authentication, allowing them to log in before the victim does. 3:44

Therefore, using 2-factor authentication from services like 3:49

Google Authenticator, do a security, and Authy is recommended. 3:54

Again, libraries and APIs exist for 4:00

each of these providers and are often free to use. 4:04

You need to sign up for Treehouse in order to download course files.

Sign up

You need to sign up for Treehouse in order to set up Workspace

Sign up