Bcrypt & Password Security - An Introduction
Вставка
- Опубліковано 20 лип 2024
- A conceptual introduction to bcrypt and why it's useful in the context of user password security.
MakerSquare | mks.io/learntocode
MakerSquare is a three-month full-time career accelerator for software engineering. By teaching computer science fundamentals and modern web languages like JavaScript, we prepare students to join top flight engineering teams.
nice video, and also hello fellow mangadex users.
Hello, mangadex user here.
Grating cheese fellow mangadex user
Hello frens
Greetings, fellow mangadex users.
Hello
Views are gonna go stonks, now that mangadex promoted it
same i came from there 😂
Stonks
I also came from there 😂😂
Pretty sure we all came here because we were bored
STONKS
This was actually really interesting. Thanks mangadex 😂
no one cares
Came because of mangadex, stayed because of the easy to understand explanations. I can foresee myself coming to this channel a lot 😲
It's dead tho.
It doesn't seem to be active tho and even when it was active it seemed to be a mix of conferences and someone's garbage bin, this seems like the most useful thing on it. Nice to have this though since clicking around all the other videos on this are needlessly complicated (one even turning "what is plain text?" into a drawn out and complicated explanation, wtf)
whew, im safe. my password is way too weeb to be in any dictionary.
same
Joke's on you, the hackers are weebs, too.
meaning?
Mine's too personal so it might as well be random
problem is, if one of mangadex user uses a password that he has in his dictionnary, he would be able to find all the other passwords using their hash. He just has to find one match to get all the others (I guess, the video does'nt make that point very clear but, I assume that is the way it works)
i get none of this but i feel safer now thanks mangadex
From what I understand:
"abc123" + "salt" => [bcrypt] => "ab7qru.."
Salt can be any string of characters and is protection against dictionary attacks (hackers generate a dictionary of common passwords and test it against the database). Generally, salt is unique for each user taking account their join-date, their age, etc. If we take that into account, it can turn into:
[salt] = [join date] + [age] ^ 2
[password-digest] = bcrypt([password] + [salt])
TLDR = It takes a long time to decrypt a single password from a single account.
Nice explanation of password hashing and salts, but I have to admit I came here looking for an explanation of bcrypt specifically.
Cartoon > Animation > Anime > OPM > Mangadex > Hack Reactor
Great Journey so far, learned a lot.
Mangadex users👀
Thanks for the video and i want to thank MangaDex team for introducing me to this channel
A dictionary attack is specifically a brute force attack using dictionary terms. A look up table of hashes is know as a rainbow table. Some rainbow tables are produced using a dictionary attack. A salt should be unique to each user. Salts make it hard to produce a rainbow tables because you would have to create a different rainbow table for every possible salt. So it's every possible password times every possible salt.
Something he didn't mention is that you typically generate a salt _per password_. That means that generating the hash dictionary (or "rainbow table" as they're typically called) is impossible to generate in the first place.
This means that cracking each password is _even slower_ because two users who have the same password, will have different password digests, because they have different salts
Thanks for this video. I finally understood how bcrypt works, especially the part about salts. One of the main advantages of bcrypt is that it cannot go obsolete as computers become faster because you just have to increase the number of rounds of hashing.
When first released in 1999, the recommended number of rounds was 2^6...not you should use 2^15 for increased security.
I just wanted a site to read some manga , how did I get here lmao
Thank god I read JOJO with no email in mangadex. Nice video btw.
The best explanation i have watch on Bcrypt functionality. Thanks
I'm here bcoz of what happened to mangadex,..😭😭😭😭
This answered my questions and then some, thank you!
From mangadex✌🏻
Awesome explanation, it all make sense for me now
Awesome explanation!
Nice Explaination. Thank You.
Great explanation!
Hats off to you man, I really liked your explanation. I am gonna share this to the dev community. :D
A BCrypt hash includes salt and as a result this algorithm returns different hashes for the same input..
Very good explanation, thank alot
Thanks for a great explanation!
Ok, so Mangadex is using an enigma machine. Got it.
haha
Please change the title to hashing and password security. "bcrypt" in title is misleading, I thought it explains about bcrypt working!
dont feel as scared about the mangadex leak now
This video makes it seem like you use a single salt for all users, which you must not do! Instead you should give each user their own random salt and store it with the user in the database.
That way an attacker has to create a separate dictionary for each user. Additionally, same hashed passwords are different for different user. So even if Alice and Bob use the same password, this is then not apparent in the database because the hash still differ.
Subscribed. Very clear and simple explained!!!
you were lied to. this video is garbage
haha jokes on the mangadex hackers, my password was already leaked along with my username on compromised password list.
Exactly, mine has been leaked and in the wild since 2010, so it's old news! there's nothing of value behind that password.
@@AJ-po6up even if they try to use it on other website, the most they'd get out of it would be some edgy comment list I made years ago. Nothing of value was lost. That's why I always use my leaked password for non crucial websites lol.
My 4 months security class in 7 minutes
Awesome !
Shit now i dont Remember what my password to mangadex was :/ Is three any way to show it now?
if your on chrome go to settings then passwords
it's 2021 use a password manager goddammit!
Great video, thanks!
this man must be confused with the mangadex comments
So bcrypt uses a pepper to slow down the hashing process?
thanks a lot ❤️❤️
I want to know how a website or app that has the hashed passwords let someone in.
For example, the pw abc123 is hashed into jibberish, how does the database recognize the hash?
I feel like I can guess that the pw you sign in with gets hashed the same way, so that when the hashed pw gets compared to the database one it lets you in.
I would appreciate someone letting me know how it actually works.
That is basically it. When you log in the app will encrypt the entered password and compares it with the stored password hash. If they match, the user entered the correct password. In the case the salt gets somehow changed, users will not be able to log in anymore as it will produce different hashes as the stored password hashes did not change.
in 6:00, why hacker compromise the password will compromise the salt? And how can hacker compromise the password??
Brute force, rainbow, dictionary
Hello just a thought to my self, what will happen if we encrypt both email and password before storing it in the database?
I'm pretty sure it's slow because it probably uses multiple Salts before and after the hash and is unique for every user other than that if one found out about the Salt well then wouldn't the entire Bcrypt database be comprised?
BCrypt uses a single per-user salt. You just hash it over and over again to slow the hashing process. The salt is actually embedded in the hash itself with the work factor (Format looks like $bcryptVersion$workFactor$saltHash) so you do have the salt for everyone. But that means you can't bruteforce all your database with that salt, only a single user.
so if you use an uncommon password then they wouldn't have it in their dictionary and you'd be safe?
No, it should be unique. Like a project/operation name, with numbers (birthday date, or other for you meaningful dates).
THANK GOD I USED A GOOGLE RECCOMENDED PASSWORD
Very nice.
So if your password isn't a horrible password in the list of the hackers' dictionary attack does the dictionary attack not work? The dictionary attack only works for passwords that they would test against?
Yes...ish. Their list of 'common passwords' likely approximates 'every leaked password ever'. It's just text, the space and power to store it and run through it is negligible.
If your password is literally unique in the universe, then yes, a dictionary attack would not work against it. If your password is an 8-letter English word, it almost definitely is on the dictionary. So anyone thinking 'my password is secure because it's not on the Top 10 Most Used Passwords List' is kidding themselves.
Estou saudade mangadex! 😢🤗❤
This is an awesome explanation!
I feel personally attacked... Thanks for the explanation tho.
Nice explanation.
Storing Hash (password + static salt) = HASHnew (lets say) in database is a bad idea. If the database is compromised, the attacker can use that static hash value (i.e.HASHnew) and pass it through MiTM to get authenticated.
salt is not static but random
What is the difference between hashing algorithms and functions?
amazing!
i feel so smart now thank you
also stoked for the new mangadex!
exceeded my expectations
They made a api but I can’t use it cause I can only read on mobile at the time and idk if the website is going up anytime soon :(
The Last video is 5 years ago quite sad but it is good to know this channel thanks to mangadex
ohh, the reason is really-really great and so funny for me 😂😂
don't share your worthless thoughts
Thanks , great explanation
The difference is... never use MD5 ;)
Very clear thanks
nice, very informative
Thank you sir
Nice video good that i used a dumpster mail for mangadex but not so good that i don't have access to the dumpster mail anymore after their hack.
Isn't that a rainbow table? I thought a dictionary attack was when you bruteforce using common words instead of individual characters.
Where do you read your manga now?
Mangasee ig
I used to read from the scanlators' respective websites, but I recently found Manganeko.net and it has no ads so its pretty good.
It means that the mangadex uses good program to store our database
tysm
But if I didn't sign up to the website and the website got hacked then am I safe or not?
yes hello from mangadex
this is in fact not how bcrypt works. it works as a general idea on securing passwords, bcrypt uses a chained key generator accessing pseudorandom memory addresses to set up for generating the hash. the salt is not appended or prepended to the password string but instead used to set up the key generation.
so the part he got wrong is just how the salt works then?
Does bcrypt uses salt to hash password ?
So, This means that i dont have to be too scared about my password on mangadex?
A simple password change should be safe, unless you use the same password in other websites, i suggest you change them all if ever the breacher decides to expose the info.
@@kanoccino or 2FA; if the website does not have that then just do what Kael H is saying.
Very impressed with this presentation. You are quick with the tablet?
Video: but bob is not so smart
Me: oh that's me
So should I change the pwsord?
So I enter the mangadex?
what do you mean?
@@vampante that is, I did not understand well.
I came to know about algorithm of bycrypt hash but I didn't found anything that helps me you only told what every hashing algorithms do I know more on that this is not bcrypt
Slightly off topic but
As a mangadex user, is there anything i should do??
what if you hash the hash and the salt?
Nice and clear explanation
I think he will promote l@st pas😆 for storing password but I'm wrong when look at the videos upload times.... 😄
I'm glad...
i just wanted to read part 7
I was panicking because i thought I couldn't read the new part 8 chapter
thank god i read it on mangadex a year ago
Why didn't I know about this in my college days?
Now I feel like an idiot using md5 to encrypt my projects...
Depending on how old you are, md5 would've been fine for the computing power of the day
turn on 2FA, it's a pain to use it every time but it works
simplified
Imagine suddenly getting views flood because manga website recommends your video :)))
but, why is it slow? what makes it slow? and how by being slow makes it good?
I think he means the hashes are more complex and longer, therefore slower to generate. imagine if md5 takes the original string and turns it into a hash after 10 steps. Bcrypt turns it into a hash after like 50 steps.
therefore for a list of the Dictionary Hash (assuming the hacker tries to make one that has a list of top 10,000 common passwords for example) it becomes like 50,000 times LONGER to generate the whole dictionary hash. imagine if the md5 dictionary hash it takes 1 minute to create and for bcrypt dictionary hash takes 50,000 minutes or a whole month. That's an insane difference.
take this with a grain of salt ( _haha_ ) since I'm not a code-person but I think that's pretty much it
5:18 so... basicly it is like elimination in algebra, hahaha
2021 here.
Okay, so it's "designed" to be slow, but how does one do that? Surely it's not as easy as inserting a ton of WAIT clauses or somesuch that someone else compiling the algorithm for themselves could just take out and/or something easily alleviated by throwing ever more computation power at it thanks to Moore's, right?
The hashing algorithm takes computational work, which takes time. It's designed to be slow by just doing more and more computational work, the attacker knows the exact computations he needs to do to get the same hash, but he needs to do it on every password he tries to guess.
So if the computation takes 10 seconds, then each guess of his will cost him 10 seconds which he will have to go through for each of his guesses.
@@jellyrabbits375 Appreciate the response, but it didn't actually explain anything. Just said the same things with different words.
stonks
Why BCrypt is better 6:02
i came here from mangadex
My overthinking saved me this time.
I am Bob.
But really, mangadex. This is the first time that I signed up to a website and got hacked where our PWs and IPs were leaked. How careless of them.
70k
I did not plan to do this but my mangadex gmail acc is the same as my facebook gmail lol and someone tried to change my password, jokes on you hacker, for every site I use a different password even I forget about them
lmao tbh relate, I've lost like 30% of accounts I've made as a kid on kiddie flash game websites