Five Password Authentications From Least to Most Secure (Explained with NodeJS & Postgres)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what is going on guys my name is Hasan and in this video i want to discuss five methods of authentication so guys authentication is the process of verifying your identity by supplying some sort of a credential to a back and in the back end will try to know who you are and verify who actually okay this guy is rec this guy is Paul this guy is Hussein right vs. oven or Thor zation is the process of actually yeah we know who you are we know you Paul but are you really authorized to access this resource so that's a little bit of a difference so I'm gonna explain the authentication and not only one method one to five methods the first one is no one in the right mind should even consider using it right and the final one the fifth one is actually only the paranoid using it so where are you in the spectrum we can explain all these methods alright guys I have here a very bad user experience that simulate this stuff in the HTML because I'm not Brad driver CI a-- i'm very bad in the front-end but it does the job because it has at some fixed box there is a login button and there is a register button login will attempt to send a post request to login to a back-end and we're gonna go through that process and register will actually doses on the boss request but it will register using this username and password right so it will insert something in the database how about we actually go in the backend and explain that stuff so my back in here have five MJS michael jackson files right and each one described a certain method of authentication that I'm gonna go through in details and you as a start describing these method you're gonna see some time codes you can jump to the interesting method of authentication so the first method is upon registering the username we will store the password as plain text yes guys we got to go through all the bad methods even if they are bad all the methods we have to explain everything right storing the password as plain text and verifying it using just cool simple query to the database the second method is a little bit better we're gonna hash the password and store the hash in that database a little bit of better right so someone and the DBA for example or the databases leaks nobody can see the passwords but there is a whole problems with this we're gonna go through that right and the third method is well we're gonna store the hash and alongside it we're gonna add another column called salt right this is a little bit of a better method right but we'll explain why it's better and why then method two is actually not that great but this is also another but we had to pay extra price to actually store another column right method for is one of the most popular is to use bcrypt which kind of also salt its password with a hash but the salt is stored in the hash itself so we don't need that extra two column which is also cool we can explain that and we're gonna go through the code and the final method is for the paranoid never actually store the password at all right and rely on the user to supply the password to access anything right so everything is stored encrypted in the database and not even the owner or the DBA can actually see what's going on right the previously all of these methods right if the DBA can actually still query the database and look at through the data right cuz it's all there right but the fifth method is actually no encrypted and only the user specified password like he or she can encrypt or decrypt that content to actually view it if they lost the password that's done there is no recover from that how about we go through all of these method guys so the first one is store the password in the database as a plain text let's go through the actual columns and PG admins or okay so I can show you and yeah it's just query authoring authentication method one I have two fields username and password they our distinct fields yeah all right and what we're going through here is just like this is very simple thing we're creating a pool of number of connections by default when we start the database and we're sending the HTML file maybe we'll go through the sh t mail file which is the login dot HTML that page that you saw there is a post request that performs the login and when you send me that JSON file wishes they user name and password right I will literally query authentication method one table where username equal this and password equal this the plaintext password just squared in the database get back a result and we know if we got no results that mean either the username doesn't exist or the password is incorrect right or both and just send an error back else send back and login successfully how about register register so first of all we need to check if the user actually exists so I'm gonna query the authentication method one table well use that equal this and let's just provide the username that the user supplied and if we don't find anything that means yes we can actually create the user because it doesn't really exist go ahead an insert into the author name declination method one username password just plain text just right down to the database and else we get an error okay how about we show you the login file for once and this the HTML file will stay identical for all the methods the only chance change we're gonna have change is actually the back end all right so we have an HTML file where a text username and the login and the register we're creating wiring some events here so that if I'm logging in this is the login button I want to if someone clicks on that I want to send a post request to the login page slash login right guys that's the slash login that's what we called it right and then this is what we sent method post headers it's a obviously jason and just send the username and password as a jason so we can pick it up that's that's what we saw here right odd request or body dot user requested body the password sweet and the register is exactly the same just we change this just lash register so just post right cool we know that email we know that the back end the first method how about actually run it also integration method one food run sir and the table is now empty obviously because there's nothing in it let's go ahead and create a new user called test and the passwords also test and register we can get user created successfully Kawai the database and we have a test test that's bad obviously cuz everybody can if this database got leaked like echo effects happened everybody will have the password right now saying echo Avast had the password as plain text but there are some problems with this and there's very bad problem right you don't you never do this and if I log in say the login I'm looking successfully if I type in wrong password yeah incorrect password and username sweet eyeball we create another user Paul and the password is test one two three because there's a best password ever like a user crazy successfully and if I login I'm getting login successfully boring boring stuff right moving to the next method which is the hash right we close this now we're event occasion method two and let's discuss this so what we're doing here differently is everything is the same except when we store that's totally the register when we were registering only thing we're doing different is we're hashing this using a method called sha-256 right this is a function that takes a takes some text and create a hash one-way function right so what we're doing here is insert into both method two which is the other table the username password and the password here is the actual hash so we're not really storing the actual pestle just the hash of it which is unravel you cannot just reverse it so take the body user hash it store the hash and say it's successful right else we get an error all right Logan how do we log in well same thing we got a query the database but here's where we query for the only difference in the query we're querying for the hash so we whatever the user sent us will hash it and send that shove that in the database as a query and if we got something that means it's successful else know how about way around this run and we'll see what what's wrong with this in a minute so refresh this I'm gonna create a user called this query that method to here there's nothing right in the second table if I log in fight urges terrorize test the password is test now we get this - huh well be better this is just garbage right nobody can actually use this and login right even if that even the database got leaked right but let's that's great a user called Paul and this the password is something else Edmond right and your query this is walking this is actually pretty good huh some hash about actually Logan well I can login successfully that's great use a rake and his password happened to be also test write register query what well that's shady look at that username test has the same password as username Rick huh right so that is just a bad idea in general as well because some obviously the actual table will not just look have have two fields right there will be a like a hint field right and people put all sorts of stupid hints in their password like yeah or password usual password or all test oh my pet or yeah and if you read enough hence if this database got leaked you can actually guess that password because their own just look of all the passwords that look the same and look at the hints and you can essentially guess it alright guys so that's the second method obviously also bad not as bad as the first one but yeah you can live with it I mean yeah nobody care about your database and your authentication right if you're building like a like I don't know system for your local community right you can use this method but why if you can actually solve the dang thing you can salt it so what is salt so the third method is actually salting it so instead of just taking the same text and generating a hash which results results in the same hash which kind of look a little bit sketchy what we want to do is instead is insert another factor which is what we called assault assault as just a random string that you stored in the database as well as a third field right so if I quite a number three now and you can see there is a field called salt so we store the soul to the random value and we stole the hash as well so now let's go to the register and see how it looks like the register code this is what we're gonna do there just our code will query the authentication method three and what we'll do is this hey there's no address create a random salt and think of this functions just I don't want to show it because it will just generate a random string because we don't a random string use that random string and save it in the salt of the database there is a field called soul but when you hash the password that the user gave you take the password and we'll the salt and hash those two together so they are essentially unbreakable right but now if you look at the database even if two people have the same password they will definitely not have the same salt and they will definitely not that as a result they won't definitely not have the same hash right pretty good pretty good method a little bit a lot of work you're forcing me to store another field which I don't lie but yeah that's a pretty good listen let's actually test it with the three and I'm gonna make that code available for you guys so don't worry about it so now authentication method three is listening now wouldn't query there is nothing finally refresh let's just test and test and register OOP all right I just have a breaking point let's remove it and successfully look at the database query would look at that beautiful salt right beautiful so now if I create a user poll and I register Tecna they have the same password and you can login right we're gonna go through the login code we didn't go through that but if I query both of them have the same password but look at that they are different so now we just made it harder on the on the hacker of the attacker who ever got their hands on the database we're making their life harder to actually guess the password alright that's that's good we didn't actually go through their login code so how about we go through it the locking code we query that database now we actually don't just we don't this is not one query this is now essentially one query pull the results and not just compare the number because we need to do some client work here we select star probably a bad idea guys don't do that you select only what do you need but yeah I'm just testing this is a tutorial right it's not a production code anyway you know that probably so we query that and we check that hey all right if there is no user that this user doesn't exist so we can I'm gonna return this error and by the way I don't say that user doesn't exist because we don't want to give the client hints about what what the actual situation is you always give it as vague result as possible that's just known right you don't give him oh by the way the user name is okay but the password is wrong don't do that try to make it as vague as all right so all right so we get the password from the database which is salted right the salted password now that's what the database have we take the plaintext password that they gave the user gave us and you might say Husain why we're sending the password in plain text that sounds a little bit sketchy well not if you have TLS you're absolutely fine if you have TLS remember your encrypted that's why you always have to have HTTPS and we talked about TLS I'm gonna reference the video here right so it's encrypted technically in the in the wire so nobody can sniff your plaintext password so take that plain text password take the salt from the database because we query the database they use their salt that we stored combined them and if we got the same salted password we are no longer salty we can actually return hello didn't exist for you how about that right and that's pretty cool so that's the third method fourth method probably the most popular bcrypt there's a library called bcrypt which essentially uses salt but it is storing creating the salt for you and storing the salt in the resulted hash as a sum takes some part of the hash for you bytes and store the salt - so you don't have to worry about any of that stuff how about we actually go through that method for so go through the register code as usual register code on my register we query the database if that user right and if we got no user obviously we can create it we use the bcrypt function you give it the plaintext password and you give me how many times do you want to generate this all because really the randomness guys if you don't know that commits a at an unsolved computer science problem you cannot really truly generate a random people try that's why you give you that give some random number here so we try as as much as possible to generate a truly random number but yeah that's his way above my head it's some professors are still researching these stuff right yeah we get the hash right but the hash actually have a salt in it oh but that hash is the hash and so part of is actually the salt so I don't have to worry about the salt because the salt is in the hash okay now I'm gonna go ahead and suggest a username and password no need for an additional column you're you're cool and then just store these two pieces of information the hash and then and then the login we can use the beaker function we query get the password assaulted password which happened to have happen to have the hash and the salt in it in the safe the same time and if you give me this beaker does compare and you give me the plaintext and I can compare it with a salted password which happened this guy is the salted hash and they're all combined together so what Big KRIT will do it will take the first few letters or few characters and use it as a salt and do the same exact thing with what we did with method three guys and we give you give you true or false if it's true login successfully false you are not authorized you shall not pass all right how about we run this thing and taste this thing all right guys all right I'm gonna do this is just the authentication poor guys authorization and access tokens I'm gonna make a JWT specific video just talking about that it's just the logging guys a subsequent request is another story right all right elephant vacation method for and obviously we have only two columns good now refresh and get a creator user called test and the password is also test register created successfully and let's create a user called poll same password register and let's create a user Hussain and register and obviously if I log in all the same password I'll get an error if I again suite refresh and look at that they are different but they look very suspiciously the same right this is what I talked about the first few character are essentially assault and spite me using looks this number 10 looks like we're using the same salt somehow I don't know what it's up to that guy let me know if I'm using this function incorrectly the bcrypt but nevertheless they are different passwords alright so bcrypt guys be crept right that's the fourth method and the final method right and some there are some services actually use this by the way guys it's called key base key base actually one of this service that it's not as what I did I have done here it is using something like that right so the password is actually it's up to you you store the password you give me the password and I'm going to decrypt everything you have even they don't know your data they have no idea right so the method versus no password is stored so technically you still need a database to store the encrypted stuff how about we actually go to the register and see what what code do we write here and I'm using here essentially the symmetric key encryption algorithm to decrypt and incur to what they use their password using the password as the key probably a bad idea but this is just to demonstrate possibility of doing things so the register we query and check if the username exists same thing if it doesn't exist good and I'm gonna encrypt their data and I'm using the username is actual data but think of it as just the whole I don't know the profile or everything right and I'm using the password as the key that's the key so encrypt of this you can get some encrypted data insert the username and the data not the password just the actual encrypted data in the database so method 5 has actually two fields user and user data there is no password we don't store the password we just in store the encrypted user data and then we tell the user hey successful else failed and the login is very similar you query the database you get this encrypted data but even the application itself doesn't really know what this is right so what it does is you take the clip to data and you attempt to decrypt it with the supplied username password and whatever you got there you send it back to the user if this function failed I I've changed it so it returns an actual error of the actual whatever happened during decryption that probably say that hey I couldn't decrypt your data that's what it means how about we test this thing final thing all right let's just this thing I'm gonna create a test and their passwords test I'm gonna register and probably I have a break one yeah that's what I thought this encrypt and now I use a crit successfully now if I go method five query that final table look at that it's just a bunch of encrypted data nobody can actually decrypt this thing unless they try to brute-force it there's just data and username there's no password so now guess what if you can login I am going to attempt to actually give you the results I'm gonna decrypt that thing if I could decrypt it which I happen to decrypt it good I'm gonna send you that data and I say hey this is what I have just the data is the test which is the username in this case how about if I supply the bad bad username bad password hello again what we're gonna get is an error let's show the error this is exactly the error that the AES algorithm throw at me and I just throw it back at the user hey bad decrypt I couldn't even decrypt this thing so guys these are the five methods of authentication that I can come up with what do you think what is your favorite number one number two three four or five or even six do you have more let me know in the comment section below and stay tuned for more videos like this I'm gonna talk about the access tokens and and refresh tokens and JWT and whether J ability is a good idea or not what weather why did we invent it ability all that stuff in another video I deserve its own video to be honest alright guys maybe oooo also that's another video by itself authentication or thor's ero all that stuff we're gonna talk about it in another video if you enjoyed this video give it a like share it with your friends I'm gonna see you on the next one you guys stay awesome the code is below
Info
Channel: Hussein Nasser
Views: 12,052
Rating: undefined out of 5
Keywords: authentication, web authentication, password authentication, bcrypt, Nodejs, Nodejs bcrypt, Nodejs password, Nodejs authentication, Postgres nodejs authentication, Password storing in postgres, Nodejs encrypting passwords, Authentication in postgres, Nodejs bcrypt postgres, Postgres, Postgres bcrypt
Id: _t8EPImx9LI
Channel Id: undefined
Length: 25min 10sec (1510 seconds)
Published: Fri Apr 10 2020
Related Videos
JWT - JSON Web Token Crash Course (NodeJS & Postgres)
Hussein Nasser
20K
Rust, WebAssembly, and the future of Serverless (DevFest 2019)
Google Developer Groups
30K
Cross Origin Resource Sharing (Explained by Example)
Hussein Nasser
96K
Apache Kafka Crash Course
Hussein Nasser
162K
Implementing User Authentication With Node JS and PostgreSQL
Conor Bailey
45K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
An Illustrated Guide to OAuth and OpenID Connect
OktaDev
199K
When should you shard your database?
Hussein Nasser
37K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
1 Videoda VUE - Gökhan Kandemir - KablosuzKedi
Yazılım Bilimi
66K
Long Polling and how it differs from Push, Poll and SSE - The Backend Engineering Show
Hussein Nasser
9.4K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Introduction to HashiCorp Vault with Armon Dadgar
HashiCorp
135K
OAuth and OpenID Connect in Plain English • Nate Barbettini • GOTO 2020
GOTO Conferences
8.4K
Server-Sent Events Crash Course
Hussein Nasser
23K
Emil Bay: Keeping passwords safe in 2017 | JSConf EU 2017
JSConf
8.9K
UUIDs are Bad for Performance in MySQL - Is Postgres better? Let us Discuss
Hussein Nasser
13K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.