If you have ever tried to build a backend where you have to build sign-in/sign-up, one of the main concerns is "how can I keep my user's password safe".
Let's dive deep into it
Let's say you have an authentication system and you have to store a username and password for your application in your database. Let's say the user's username is "Abc" and the password is "Abc$123" and you store it in plain words in your database. Now if any hacker/attacker tries to hack your database can steal all of your data about username and password and can easily access the user's account and can hack it.
Hacker: I just hack the database now I can log in with
any user details.
But then what's the solution?
Simply we will not store our password in plain word.
Before learning how will we do that. let's see how our authentication will work
- Our client will enter a username and password
- After that our backend will check if the login credentials are right or wrong.
- Backend will talk with the database and will check if a user is already sign-up or not and then will return the respective results
Now let's get back to what can we do, we will do is we will make a hash of the user's password in our backend and then send that hashed value into our backend to store. while signup and checking while signing in. and this whole process is called password hashing.
Hacker: Okay I will change that hashed value into a plain password
Password hashing is basically a one-way function. It can convert a plain password into hashed value but can't convert a hashed value back into a plain password. Let's say your password is "abc$123" and after hashing value became "dfdfvsa#342123%EFW$". then there is no way we can change that hashed value into our actual password and if we try to log in with that hashed password it will generate another hash value according to the input.
now whenever we will try to log in the backend will again convert the password and will check if the converted value is stored or not. and now even if the hacker has stolen our user's login data only thing he will have is a converted value and he will not be able to login with that.
How do that:
we can use a npm package bcryptjs to make a hash
Hacker: ha ha! I already have a table containing hash
values of millions of common passwords.
now to avoid the situations where a hacker already have some converted hash values we use SALT. In salt, we add some random string of character in backend with user's password. So chances became very low that hacker have value of that hash value and that's how it can became very difficult for hacker to know the password. So let's say our salt is "12#42$6". So as user will enter his password salt will add to it in backend and then backend will convert it into hash.
code:
const salt = bcrypt.genSalt(10);
//bcrypt can also generate salt for you
secPass = await bcrypt.hash(password, salt)
user = await User.create({
name:req.body.name,
password:secPass
})
and our password will be remain secured in our database,
additional info: There is also a concept called PEPPER which can be added to password to make it more secure
For more info you can read bcryptjs official documentation
You can contact me on Twitter.
Suggest me on what topics I should write on next?
Top comments (0)