1 00:00:00,480 --> 00:00:02,430 Let's take a break from writing code and 2 00:00:02,430 --> 00:00:06,100 talk about how we can make our application more secure. 3 00:00:06,100 --> 00:00:10,360 In the last video you saw that our application stored the user's password 4 00:00:10,360 --> 00:00:12,770 in plain text within the database. 5 00:00:12,770 --> 00:00:16,228 Anyone who looked into the database could find a user's credentials and 6 00:00:16,228 --> 00:00:17,530 login as them. 7 00:00:17,530 --> 00:00:19,170 That's not good. 8 00:00:19,170 --> 00:00:22,780 Fortunately, there's a way to protect sensitive data like a password, 9 00:00:22,780 --> 00:00:24,790 when you store it in a database. 10 00:00:24,790 --> 00:00:29,719 You basically jumble the plaintext password using a process called hashing. 11 00:00:29,719 --> 00:00:34,366 Cryptographic hash functions take a piece of information and return a string, 12 00:00:34,366 --> 00:00:37,570 called the hash, that represents that information. 13 00:00:37,570 --> 00:00:41,695 There are many different hash functions, but most take a string of any length and 14 00:00:41,695 --> 00:00:45,700 produce what looks like a random mix of numbers and letters. 15 00:00:45,700 --> 00:00:50,760 No matter the length of the input, the resulting hash is always the same length. 16 00:00:50,760 --> 00:00:54,790 The exact cryptographic function determines the length of the hash. 17 00:00:54,790 --> 00:00:58,610 In our app the hash values will always be 60 characters long. 18 00:00:59,690 --> 00:01:03,730 When users login to a site, they enter their plain text password. 19 00:01:03,730 --> 00:01:07,844 The web application runs the plain text through a hash function and 20 00:01:07,844 --> 00:01:11,309 compares the output to the hash stored in the database. 21 00:01:11,309 --> 00:01:15,841 If they match then the user is authenticated and logged in. 22 00:01:15,841 --> 00:01:18,170 Hashing is a one way process. 23 00:01:18,170 --> 00:01:21,910 That is, you can't unhash or decrypt a hash value. 24 00:01:21,910 --> 00:01:23,920 For passwords, that's ideal. 25 00:01:23,920 --> 00:01:29,290 If someone gains access to the database, they'll only find the password hash value. 26 00:01:29,290 --> 00:01:32,740 Typing the hash value in the login form won't do anything. 27 00:01:32,740 --> 00:01:34,910 And it's not easy to unhash or 28 00:01:34,910 --> 00:01:39,320 figure out the password, even if you have the hashed password from the database. 29 00:01:40,610 --> 00:01:42,270 However, with enough effort and 30 00:01:42,270 --> 00:01:45,658 computer power, even hash values aren't completely secure. 31 00:01:45,658 --> 00:01:50,110 Someone can reverse engineer a hash to get to the original password. 32 00:01:50,110 --> 00:01:51,440 So, to add more security, 33 00:01:51,440 --> 00:01:55,490 we can use something called a salt to randomize the hash value. 34 00:01:55,490 --> 00:01:58,370 Now it's not the salt you sprinkle on your French fries. 35 00:01:58,370 --> 00:02:02,930 Salt in cryptography refers to random data that you include with the input for 36 00:02:02,930 --> 00:02:04,360 your hash function. 37 00:02:04,360 --> 00:02:07,900 A salt should be randomly generated for each password. 38 00:02:07,900 --> 00:02:10,510 The salt is concatenated or added to the password and 39 00:02:10,510 --> 00:02:15,160 then processed by whichever cryptographic hash function you're using. 40 00:02:15,160 --> 00:02:18,820 The output of that function is stored in the database as well as the salt itself. 41 00:02:19,870 --> 00:02:24,663 For hashing passwords in this project, we'll be using the Bcrypt node package. 42 00:02:24,663 --> 00:02:30,100 As noted on the project's website Bcrypt is a cross-platform encryption utility. 43 00:02:30,100 --> 00:02:33,860 It's a popular option with the nodeJS community when hashing user passwords. 44 00:02:35,310 --> 00:02:39,200 We should always keep our users data safe and secure. 45 00:02:39,200 --> 00:02:40,310 Hashing passwords and 46 00:02:40,310 --> 00:02:45,100 using a salt are very important when developing an authentication system. 47 00:02:45,100 --> 00:02:48,580 In the next video, we'll move forward with utilizing Bcrypt. 48 00:02:48,580 --> 00:02:52,610 We'll also add methods to our user model to create the hash value we'll store in 49 00:02:52,610 --> 00:02:53,190 the database.