Should unskilled devs be using GitHub Copilot?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody i'm nikken a few weeks ago i made a video about github co-pilot when i first got into the technical preview and i was very impressed with its skills to autocomplete and suggest c-sharp even in that early stage however many of the comments even though most of them were very positive some of them were skeptical about this and they said that yes it works because i know how to pick and choose the right suggestions and to a huge degree i agree but there's also another side of this where in the hands of an inexperienced or junior developer this technically can be very dangerous and i agree and i want to see how dangerous and the way to do that is password hashing one of the most common things that inexperience or junior people will do especially on personal projects is they will opting to do their own password manager instead of using something like firebase or some any other third-party auth provider for some reason now i'm going to assume that i know that storing in plain text is a bad idea and i also assume that i know what's the difference between encryption and hashing and i know that i'm going for hashing here so with all that said let's see how me at junior dev now will perform with co-pilot's help if you like a lot of content and you want to see more make sure you subscribe bring this notification bell to get alerted when i upload a new video so let's go here in this project and all i have is a simple startup.cs i'm going to clear that and i'm going to go straight here and create a password hasher because i wanna hash passwords so all i'm gonna do is i'm gonna say public string and it knows i want that now here's a suggestion it suggests i create a hash method that accepts the password and returns the password like he didn't do anything how is that a suggestion and obviously this won't work but let's go ahead and do like password hasher equals new password hashtag here and then just you know result equals passwordhasher.hash and let's say nek124 here we go and then console.writeline and write this in the console and as you'd expect we didn't do anything as expected now i'm gonna give it another shot i'm gonna just delete that and maybe open the suggestions window and see what we get yeah that's not helping that's just an empty string that's not helping you're just adding one two one two three four one two three at the end ah how are those suggestions and the last one ironically is a good one but it's it would be good if i knew what big crypt is big crypt is technically fine to use if you understand what big crypt is and maybe it's a good point where you go to google and you search you know what is bigcrypt but at that point you might also just search how to securely hash algorithms or hash passwords in dot net so is it useful for me nick yeah because i would just go to here nuget search for bcrypt and i know that this is part of bigrip.net i just added and as you can see now i have hashing with bcrypt at junior dev we don't know any of that so that's out of the question for us again and i'm gonna go back and open suggestions and obviously this wouldn't work so let's say hash passwords this time and give it a bit more context and see if that actually makes a difference end of my suggestions it didn't okay let's help it a bit now one of the things that i know from the few things i've read on the internet is that sha is pretty good so we're gonna say hash password using sha i didn't specify a number i just said sha that's what i read about so let's see suggestions and now i got this hex from buys i don't know what hex is uh maybe just go with that and now i have a sha1 managed and if i go here and i say has password and i print it this looks like a hash big win however it's not a big win it is a disaster because first this class is obsolete you shouldn't be using it then you shouldn't be using stage one for anything other than quick hashes where their integrity isn't mission critical and ultimately you shouldn't be writing any code like that now here is me i do a bit of research maybe i want to start diving into 256 which i've read is pretty good nowadays so let's say what the suggestions are here um get string from hash do i need that method really can you just give me the that works so this is not obsolete fine hashes the password and returns it so now i have a decent hash here again we have a problem in in database leaks you might get the full table with passwords and when two hashes match you know every time i hash this thing nick one two three four and say result again and i print it if i do that the hashes are the same which means that if two people in the database use the same password and i can correlate email with password and i crack one then i instantly cracked everyone else with the same password so we don't want to do that we want to have assault in the mix so let's now say delete that and by the way i'm assuming i'm doing some reading on the side ultimately if i didn't i would have failed this challenge you know i have created some really really easy to crack passwords still not plain text but not great so let's see random sold i didn't specify the size but it created anyway you know what let's go with the first one i don't know what all these things are doing so hash password sold let's create the overload i guess it goes for a comment because it thinks that's the approach i'm gonna go with what's the salt salted password so it adds the salt to the password yes but i have to provide the salt so let's generate the salt okay you got that can you give me the method do you want to like suggest something cool now i didn't specify a size and this just generated a 32 byte salt which is a bit of an overkill if you ask me for what we're doing with okay so technically it did that meaning if i run this now i'm getting two different hashes from that sorted password and how do we verify that right let's let's verify no i want to say verify password that's it uh get sold we don't really have a get sold method but let's go ahead and let it no i don't want to generate i want to get the salt so it gets sold so you know it assumes that i have a delimiter here which is a dollar sign but i don't have anything like that the salt just isn't present in the password which it should because then i would be able to just get a delimiter and split it and get the salt and match but i can't so all this is basically useless and you're in this pitfall now where you're like why is this suggesting this and how can i add the delimiter and i can turn this into something that makes sense but ultimately i lost that's not what i want now i do a bit more reading and i read that and that's common information in.net that the default algorithm for passwords is pbkdf2 with sha-256 with a sold 128 bits and also 10 000 iterations so let's put that in a comment hash password using pb okay df2 with sha yes it was a good suggestion 256 with not a random sold 108 bets sold and 10 000 iterations that's what i want so can you give me that please can you redeem yourself uh you can let's accept you okay so key i can't pronounce this word derivation derivation yeah let's just say that now this exists in asp.net core and the reason why i can use that is because the project is a web project technically so i can have access to that library i don't know if that's random or not but you don't have to use that technically there is also the rfc this class which can also help you do the same thing as you can see here we don't need to we're just going to use that then this is the right size as well the salt is 128 bits divided by 8 produces and a 16 byte salt and this will give me what i want if i remove the static thing here because i don't need it and i run this this is good however i still do not have the salt in the actual generated thing and that's a problem because i can't extract it to actually use it so let's now give it a chance at this point i'm taking over as nick to just properly do this this isn't working no i want something that puts the salt on the return type come on really you're not gonna give me a salted that's ridiculous okay let's do it manually so salt is here and then for a hash password here is that god damn it and then the the salt would be like something like this so you have let's put the salt first so convert to base 64 string at this point it's just cheating salt maybe use the delimiter like a dot and then a hash password and what this is doing now is i can actually pick up the salt from the beginning to the dot and then use that to verify the password so now let's say verify the password is correct yeah okay you are good with the comment give it a method please understand the delimiter be smart about this yes thank god okay so guess the salt gets the hash stored hash uh do we want to compare with that let's not overthink it let's just just let's go for it so we have the two hashes fine is valid equals password hash dot verify password and it is nik 134 here we go and then result console.writeline is valid let's do this false is not valid even though it should be true and i think that's because it used the wrong thing in the comparison has password hash password is here fine but you're not comparing it against the full thing you only want to compare it against the the latter which is a byte array and the other thing is base64 so actually this doesn't need to be that and now we can compare it and now it's true and if i change it to three now it's false so now we have a decent implementation however it just wouldn't take us there without me sweating it's interesting and at the end of the day just shows how much of a companion it is more than anything don't rely on it for code it won't replace us anytime soon i've seen these comments just they're funny to read but realistically don't worry i say that now like someone will send this to me in five years when this is writing everything for me but yes you are right whoever is skeptical about this this is not perfect i don't think it will ever be perfect but at least it can make writing all this boilerplate boring code simpler for people who understand them and at the end of the day that's what it is a pair programming tool it's a suggestion it's a do this maybe and then you have to say yes or no like in pair programming well that's all i have for you for this video thank you very much for watching special thanks to my patreons for making videos possible if you want to support me as well you're going to find it in the description down below leave a like if you like this video subscribe for more content and like disney in the bell as well and i'll see you in the next video keep coding

Info

Channel: Nick Chapsas

Views: 13,029

Rating: undefined out of 5

Keywords: Elfocrash, elfo, coding, .netcore, dot net, core, C#, how to code, tutorial, development, software engineering, microsoft, microsoft mvp, .net core, nick chapsas, chapsas, clean code, dotnet, github copilot, github co-pilot, copilot, github c#, github, github copilot C#, github copilot .net, dangerous copilot, github copilot dangerous, is github copilot dangerous

Id: UDxiy1RYPlI

Channel Id: undefined

Length: 12min 31sec (751 seconds)

Published: Thu Nov 11 2021