Node Password Hashing with bcrypt

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone welcome to wi codee we in this video we're going to learn how to Hash passwords with node using the bcrypt library so before we get into this video let's talk about how to store passwords so passwords need to be stored in a database such that even if the database was breached by a hacker the hacker would have a hard time using the passwords to do this the actual password values should not be stored in the database but rather a hash of the password this not only protects the password from hackers but also from anyone who has access to the database including developers so the best way to store passwords is to store their hash which we can do with the node bcrypt library but what is a hash so a hash is the result of input being passed through a hash function hashes are the best way to store passwords as unlike encryption hashes cannot be reverted back to their original values therefore if a hacker accessed a database of hash passwords they wouldn't be able to decrypt them instead they would have to pass random passwords through a hash function to try and match one of the hashes stored in the database a common way to Hash passwords with node is to use bcrypt which we'll do in this video which is an npm package that's used to Hash passwords so to get into this now get into the code let's just quickly set up our project which we can just do mpm init es6 Dy and then we just need to install bcrypt which is simply a package called BCR or spelled BCR ypt and now inside this directory let's also just create a source folder and inside there an index.js file and now let's actually start hashing passwords and to do this I'm just going to paste some code in here so all we've done is import the bcrypt library we have an asynchronous function called hash password and the way you hash passwords with bcrypt is you use this function hash so then oh and misspelled this here so what we then do is we just have a user password called password and we provide it to this function hash password but let's see what happens if we run this so we can run this simply with node source and index.js and you can see that when we run this code what we're actually given is an error saying data and salt arguments required let me actually see if I can zoom in so it's an error saying that a salt is required essentially and so what this error means and why this happens is because security wise storing a hash alone is not enough and this is because the same input provided to a hash function will always give the same output in other words say we use this say we hash string password what it will do is it'll create some kind of hash some kind of random string of characters like this and though every time we hash this string password if we're using the same hashing function it will out print this or output the same hash and because of this there are giant lists of common passwords and their corresponding hashes which is what hackers use to identify hash passwords in a database so say the hacker gets access to a database filled with hash passwords well a very common password people could use would just be password and that hash will most likely be in that giant list that the hackers have and then anytime they see this hash here they think oh that user's P password is just password so a better idea is to store a unique hash for each password and the way this can be done is using a salt and so what a salt is is it's a unique randomly generated string that's added to each password and then the salt and password are hashed together and this is what bcrypt here is saying it requires because it needs needs a salt provided to this hashing function and we can actually use bcrypt to generate a salt for us so we can say salt and then we just use bp. gen salt and next inside this function we just pass the salt in here and now if we run this program so let's run this again now what we get outputed is a hash and each time we run this program it will be a different output notice how each one of these it's different because the salt being created here is different each time if we didn't have a salt then if we're just hashing password with the same function it would be the same output which we learn is a security issue and now just something to know about this structure here is this actually means something um let me paste something over here so what this string of characters here is essentially this so we have a dollar sign right here next we have the algorithm that's being used so here the algorithm is 2b which essentially just means bcrypt next we have the amount of salt rounds which will'll go over in a sec or we have a dollar sign and then cost or the number of salt rounds which is 10 and what this means we'll go more in depth into this but this essentially means that 10 salt rounds or two to the^ of 10 iterations were used to generate the hash then we have another dollar sign and then we have the salt next to the hash so if we actually log out the salt too so console.log salt run this program again we can see the salt listed right here of course along with once again the algorithm and the salt rounds and then then here's the salt which we can see right here and then on this side so over here is the actual hash so let's go more in depth on salt rounds now so this gen salt function right here also accepts an argument for the amount of salt rounds or cost and essentially the higher the salt rounds the more secure the password will be but at the cost of performance due to CPU and GPU computation time specifically the higher the salt rounds the higher the rounds of hashing by default if we don't provide anything in here the value will be 10 which is why 10 was listed here but say we want to provide something like 12 that means we have higher rounds of hashing and if we run this again so now we run this program we can see 12 is outputed here and of course the higher this goes the longer this will take to compute so say we do 15 notice how it's taking a bit of time to compute it and so if you're curious as a rule of thumb the number of rounds to use should be based on the specs of the system performing the hashing you want your password to be as as secure as possible but you don't want to use a number of rounds that would hinder your application's performance but so that's it with how we can hash passwords now let's go over how we can verify passwords so we can hash password bcrypt and we can also verify them so let's create another function here and I'm just going to paste in some more code just like this and this function is going to be called compare password so we have one function to Hash the password and then one to compare or basically see if the provided pass password is the correct one and so the way we do this with bcrypt is we use the function compare and what it Compares is the first argument is a string you want to compare and then the hash that you want to compare it to and the result is either true if it matches or false if it doesn't so let's actually change our program now to have to use both of these so we have our usual hash password function then we have our compare password and we have this function main which what it's going to do we run the main program here we're just going to create a user password called password we're going to Hash it here then we're going to verify it and if it's verified then it'll log out verification which will be true so if we run this we can see the password verification is true but now let's say just let's log out a password hash here so console.log password hash and we can see the verification is true now let's just change this say let's add this hash here let's do another one let's copy this and also put this hash here so even though these are different hashes and this comes of course from the salt note how no matter what we provide to if we provide either of these for the password hash the verification will be true so it's true with this even though it generated something differently and then we use say now let's just do this one as another example don't know what happened there let's so now if we do this too it's true once again and remember that's CU these are outputting different ones because of the salt which is a security which is done for security purposes and of course if we delete some of these character characters so now it's different if we run this program we will get password verification is false and now just real quickly I want to go over how this works with a database so when it comes to storing hash passwords in a database we need to store both the hash and the salt in the database and this of course is so the hash can be recalculated when the user logs in specifically what happens is say the user logs in the salt for that user is fetched from the database most likely using the username and then it's appended to the provider password the password and salt are hashed and then compared to the hash that's stored in the database so you can see how of course you have to store both the salt and the hash however what's nice about bcrypt is because we know that the hash it returns here contains both the salt and the password all we need to do is just store the hash as what bcrypt creates here is what as what bcrypt returns from this hash function already contains the salt with the hash and then you just need to supply it to compare and it will let you know if it's true or not but so this was my video on hashing passwords with node and bcrypt if you want to support me please consider downloading my Chrome extension called wit scepter Link in the description besides that Thanks for liking and subscribing today and I hope to see you in the next one have a good one

Info

Channel: WittCode

Views: 138

Rating: undefined out of 5

Keywords: WittCode, wittcode

Id: esa_t_-PJ6A

Channel Id: undefined

Length: 9min 15sec (555 seconds)

Published: Thu Feb 15 2024