DEV Community

Code_Regina
Code_Regina

Posted on

|Authentication| From Scratch

              -Authentication vs. Authorization 
              -How to not store passwords
              -Cryptographic Hashing Functions 
              -Password Salts
              -Intro to Bcrypt 
Enter fullscreen mode Exit fullscreen mode

Authentication vs. Authorization

Authentication

Is the process of verifying who a user is.
Username and password is a typical authentication combo, as well as security questions and facial recognition.

Authorization

Is verifying what a specific user has access to.
Now that we know who you are, this is what you are allowed to do or not allowed to do.

How to not store passwords

Rule 1 is to never store passwords in text within the database.

This is what a stored password in text looks like.


{

  username: 'kittykat', 
  password: 'notpassword123!'

},

Enter fullscreen mode Exit fullscreen mode

Hashing is when a password is run through a hashing function and then stored the result in the database.

Alt Text

Cryptographic Hashing Functions

Alt Text

Cryptographic hash functions are one-way functions that is infeasible to invert. Small changes in input yields large change in the output. Deterministic - same input yields same output. Unlikely to find 2 outputs with the same value. Password has functions are deliberately slow.

Password Salts

A salt is a random value that is added to the password before it is hashed.

Intro to Bcrypt

GitHub logo kelektiv / node.bcrypt.js

bcrypt for NodeJs

node.bcrypt.js

ci

Build Status

A library to help you hash passwords.

You can read about bcrypt in Wikipedia as well as in the following article How To Safely Store A Password

If You Are Submitting Bugs or Issues

Please verify that the NodeJS version you are using is a stable version; Unstable versions are currently not supported and issues created while using an unstable version will be closed.

If you are on a stable version of NodeJS, please provide a sufficient code snippet or log files for installation issues. The code snippet does not require you to include confidential information. However, it must provide enough information so the problem can be replicable, or it may be closed without an explanation.

Version Compatibility

Please upgrade to atleast v5.0.0 to avoid security issues mentioned below.

Node Version Bcrypt Version
0.4 <= 0.4
0.6, 0.8, 0.10 >= 0.5
0.11 >= 0.8
4 <= 2.1.0
8 >=

to install bcrypt at the terminal


npm i bcrypt 

Enter fullscreen mode Exit fullscreen mode

to hash a password


bcrypt.genSalt(saltRounds, function(err, salt) {
   bcrypt.hash(myPlainTextPassword, salt, function(err, hash) {
    });
  }); 

Enter fullscreen mode Exit fullscreen mode

This generates a salt and hash on separate function calls.

Within an app



const bcrypt = require('bcrypt'); 

const hashPassword = async (pw) => {
   const salt = await bcrypt.genSalt(12); 
   const hash = await bcrypt.hash(pw, salt); 
   console.log(salt); 
   console.log(hash); 
}

const login = async (pw, hashedPassword) {
  const result = await bcrypt.compare(pw, hashedPassword) 
  if(result) {
    console.log("Logged In, Success!"); 
 } else {
    console.log("Incorrect"); 

 }
}

hashPassword('monkey'); 

Enter fullscreen mode Exit fullscreen mode

Top comments (0)