Making Dope Level stuff with Programming skills is good but Protecting your users from being Hacked is Great ❤❤ ...one Important thing we should keep in mind while connecting to server-side programming is the security of Database | Passwords | User's data..
Examples of some Big firm once faced security vulnerability issues are:
- LINKED IN - 2012 (Lots of accounts were hacked)
- Adobe clouds - 2013
People do not know that there account are been hacked and information are sell to hack into there PayPal Account or bank accounts maybe...
Why is it that all of these big companies are getting hacked and leaking their user's passwords ?
- Are they not at least Encrypting or hashing there passwords...? ... THEY ARE!
IMAGINE you're a hacker you hacked into the linked-In's database and you see this.
Notice That :
- The arrows pointing towars hashes are identical.
- Which means the user with the corresponding hash has same password.
Note That: Hashes are same for the same string..😢
- Hacker would realize that these three peeps have same password .
- He start's constructing a hash table. like below..👇👇
- Compare's the hash with the password...
- BOOM!💣 You've been Hacked.. 👨💻👨💻👨💻
What if the passwords are not same or common?
let's make a hash table...
What we Need 🤔🤔🤔
- All words from a dictionary (150,000 Approx)
- All numbers from telephone book (5,000,000 Approx)
- All combinations of characters up to 6 places (19,770,609,664 Approx)
ADD THEM ALL : you got 19 billion combinations (Approx)
BUT HOW TO DO THAT...? 😖😕🤔😡🤕
you could possibly do that with one of the latest GPU's....
- Latest GPU's can Calculate about 20,000,000,000 MD5 Hashes/second....
- That means, we can hack that 19 Billion hashes, if we don't have common passwords among the users..
- It would take only (0.9s Approx). 😁😁😎
Need of the hour is Protection..
- Developers uses Salting for Encrypting their passwords..
- SALTING : A salt is random data that is used as an additional input to a one-way function that hashes data and passwords. Cryptographic salts are broadly used in many modern computer systems, from Unix system credentials to Internet security.
- As the linkedin and adobe were hacked previously .... the most common passwords are been leaked and now is of NO-USE.
- Splash Data (Has the list of Most common passwords..)
- That's why big Companies now-a-days changes there hash functions every day..To protect their User's from being Hacked 👨💻👨💻...
POINTS FOR A DEVELOPER...
- check security vulnerability.
- Use High Level of Encryption such as Bcrypt
Use .env for protecting API keys.
npm i dotenv --save
- Then make a file on your root directory.
- open your .env file and put your secrets String inside it..
- if Working with node.js
- Add following :
But your secrets are still in danger..don't worry.
- Keeping the .env file in gitignore will save you..
- As if you saved you secrets in a github repo .. anyone can see it..But adding the .env file to gitignore will ignore your .env file..
Stacked data needs to be protected...
Hope You have Learned Something New and Interesting..
Happy Hacking!!! 👨💻👨💻
Top comments (8)
My understanding is during a signup, the password is saved as hash.
When the user logs in, the text input password is converted into hash and then this hash is checked with the one in database. If both matches, access granted.
How does salt come into play in all of this, and if salt changes everyday, then the hash should be different every other day for the same text.
Please correct me wherever I am wrong.
The salt is random. You save the salt too with your password. However, you hide the hashing algorithm.
I'm surprised you didn't mention the "salt" method in your post. It is the most known technique (and very classic) to avoid the problem you are talking about.
I agree this is so basic. It can easilly be tested in node.js
You can just do:
The two passwords have different hashes.
Furthermore the concept of SALT is basic and easily showcased via node:
Thanks @Médéric Burlet ❤
For helping people understand what Salt is...😊
And also thanks for contributing your code Example in this thread..
Tag is a keyword or term assigned to a piece of information. A kind of metadata helps describe an item and allows it to be found again by browsing or searching.
And my purpose was not to explain only what salting is.. But how these stuff happens.. (ONLY BASICs) .
I think you dont have to put the code but explaining how to overcome the problem with salt is a good conclusion to the article. You can explain the generic concept how you add some random string to the original password and hash that so there is randomness in the password.
Of course salting has to be done properly and be secured in it's own way. This is why Bcrypt is very practical.
Ya.. you are right though.... But I thought Talking about Salting and Bcrypt would be better if, it would be explained using some Node.JS examples and implementations .. But yes, I am pretty sure that giving a Breif about it wouldn’t be wrong...
Thanks for recommendation