Bcrypt Tutorial in Nodejs | Understand Hashing, Salt, Rainbow Tables and Bcrypt
Вставка
- Опубліковано 8 гру 2020
- What is the safest way to store a user's password in the database? Did you guess hashing? If you did then you would be correct. Hashing with a salt, and using a slow running algo like bcrypt is the safest way to go about storing a user's password in the db. In this video I demonstrate how to use bcryptjs to do just that.
Get 1 on 1 mentorship with me! ▶▶▶calendly.com/codingwithchaim/... - Наука та технологія
Finally!! Thank You!. I was loosing my mind thinking how bcrypt knows what salt was used when comparing. now I know
Apparently there is also the concept of peppers (a fixed value stored in the server to append to each password) on top of salt. Are there anything else used in the modern day "best practices"?
Can someone explain me how bcrypt works (especially when we are comparing a hash with a text plain password ) ? I dont speak english, i cant undrestand the video
@@dontqsy5101 14:52
no whiteboard , no diagram, no presentation, no animation just code and straight talk at 2x and yes we all understood.Thnak you for such nice explanation
Love this explanation. Not only you explained the how, but the why. A lot of times we are working with stuff, but we don't really understand the behind the scenes. This explains it in case of what bycript does for us.
This might be the single best programming video on UA-cam...
Wow, you just explain an entire 2 weeks of my college security course in 17 minutes. Thank you much, sir
Oh man, every single question I had about bcrypt and salts was answered in this video! Really appreciate walking through from bad to best practice and explaining why each step is better than the previous.
Fine job explaining bcrypt! You answered all the burning questions I had about how this works! Thank you and keep sharing!
lol was definitely a lot to follow and keep up with but this was exactly what I needed . I wanted to figure out a way to use compare and check the user password and hash password to log a user in but since I love to learn how things work and the process I stumbled upon this video. I got a full understanding how Hashing and Salt works and the answer to my problem. Thank you soooo much !!
The best explanation, every single question I had about bcrypt and salts was answered in this video.
Thankyou
This is the first explanation I've heard that I can actually understand. Most of the time people abbreviate the hard parts or give an answer that's too complicated to pick apart. Thanks for the video.
Fantastic explanation, especially on the comparing of existing hashes which is the part I was confused about. Thank you!
Great video! Explained everything I wanted to know. Had to watch at 0.75x speed though cause I couldn't keep up lol
Now this is the best explanation I've gotten on the subject. And you talk fast too. Awesome. I'm subscribing right away
Awesome, Awesome explanation! Clarified everything. Exactly what i was looking for!!! Thanks!!
Thanks, 14:52 is the explanation I was looking for - the output bcrypt creates contains both the hash and the salt concatenated (plus the number of salting rounds), therefore there is no need to store the salt separately when building an application.
yep, me too!!
last part is video is what i was looking for. Awesome explanation! ! !
Thanks sir you really explained it well and with every ounce of knowledge. I really appreciate your work and really wish if teachers at my university would have been like you.
Exactly, I had this question in my mind, thank you for answering
Had to hit the like and subscribe button.
This was masterfully done.
Thank you very much.
Awesome video! Clear explanation! Thank you so much
Really well explained. Great video, thanks 🙏
Thank you for actually explaining what it is!
Pleasure
Great explanation, just loved it
Very helpful explanation. Thank You!
Explained very well with no BS thanks
You are the real gem we need in this world😍
Awesome, Awesome explanation! Clarified everything. Thanks!!
You are most welcome!
Amazing explanation . Thank you so much!
Well explained, Chaim so good :)
Hey !! what a amazing viedo !!! Really man, that was full of knowledge ...Thanks
So basically, Hacker can still get access to the salt and the hashes and figure out the password but he would have to create his own rainbow table for that specific salt which would be infeasible for him. Thankyou for the explanation!!
Best explanation I have yet seen.
excellent video, got rid off all my doubts
Good explanation. Thanks!
Excellent explanation thanks a ton!
Excellent explanation!
Great explanation. Thank you
this so amazing you deserve a lot of suscribers
Only thing I don't understand is why we even bother with the salt if we append it to the hashed password and then store it in the DB... is it because the hackers won't know the length of the salt? Or is it because any random salt at all makes the rainbow table useless? Regardless, very good tutorial. You explain things well.
Well done - great video
thanks for really interesting video Chaim!
You’re welcome!
thanks for this great video. I have a couple of questions. Is the salt also stored in the database somewhere? Or is it always some fixed length, say n, and the comparison is made without the last n characters in the hash with the salt? In other words, how is the salt removed? Also why do the salts in this video always start with a$10$?
Amazing Stuff!!
Sir really thanks for explaining this
great content man...
Thanks a lot for this.
Amazing explanation, thank you sir
You’re most welcome!
excellent presentation. very clarifying what happens when someone forgets their password?
היי
תודה לך
ממש מגניב שמצאתי את הערוץ שלך
thank you so much
it's very useful
Incredible.
u r a gr8 teacher
Thanksalot sir!
Very complete, clear and answered all of my questions. Exemplary video. If I may, why did you opt for bcryptjs over bcrypt? For the lack of dependencies?
Thank you! Honestly I cant remember the exact reason why I chose the js version here in this video, but typically in a real project, going with the JS version does make things simpler. I had an instance where I was trying to deploy code to AWS lambda with the non JS version and it was giving me major issues.
@@CodingWithChaim I’ll go for the js version then ahah, thanks again! Have a nice day :] (you got a new sub btw)
Thank you! Welcome to the channel
Thanks!
you are amazing
Thank you
On point
Hello, this is the only video that i got to understand bcrpyt. thank you for that. i have a question. does this mean i'll have to pull the hash from the database then compare it back in nodeJS?
correct
This may be stupid question, but if the salt that has been used is stored in the DB why can't the hackers just use that information to run through the common passwords. Is this unavoidable and this is just a way to make it more time comsuming for the hackers?
Thank you.
Thank you so much for this video, my 80% confusion is clear now but I am still having doubts about the hacker's technique, can't they use the same bcrypt method and apply their RANMBOW thing on it while logging in? but many things are clear with your video thanks a lot:)
Don't know how to thank you for this video.
Glad it helped
So theoretically, if a hacker got access to your database, couldn't they make a rainbow table out of the normal passwords hashed with the first 27 characters of your stored password (aka your salt)? Or is the idea that that takes so long that it isn't feasible?
You mentioned while comparing the password bcrypt take the salt out from the hash stored in the database and attaches it to the password that user has entered and then creates the hash for comparing both the has one present in the database and one that user has entered, but how does bcrypt know what is the start index and the end index of the salt to get the salt out of the hash i.e. stored in the database.
Bcrypt is the one that appends the salt to the hash so they know where it is
thanks
Iam shocked this video only has 2k views !
14:52 Thank you!!!
So if I get it right if the hacker knows where the salt begins and where it ends (since bcrypt is an open source package) we're back to the initial spot where they can just use the rainbow tables again, right?
No because the salt is totally random and is hashed.
@@CodingWithChaim but we can see on bcrypt repo that the salt has 16 chars and that the stored password will be the sequence of salt+password so the hacker doesnt need to "crack" the salt hash, they just need to take it off. Am I missurderstanding something?
@@alexsinx the salt gets added to the user’s password and then the combined string gets hashed. This means the resulting hash will not show up in a rainbow table
Seems reasonable to me too. If a hacker knows the hash() function and salt, he still can create rainbow tables.
It should look like this:
rainbow table = "salt "+ hash( "salt" + "popular_password")
But hacker need to create a new table for every "salt".
bcrypt should be used in the frontend and then the hash should pass through network and stored in the db right?
No. The password is sent in plain text to the server and then hashed on the server.
stat from 13:30 for the comparing scenario
Great explanation! But talking a bit slower would make it even more perfect ;)
in just 17 mins i got a cyber security degree, lol jk i don't think its this simple XD.
😳
Lechaim
It's practically infeasible to go back to the value from a cryptographic hash
I am completly dizzy !
you really speak very fast
Andrew Tate must have learned from him.
Speaking very fast
bro you talk faster than eminem. Calm down please.
you talk too much
Awesome, Awesome explanation! Clarified everything. Thanks!!
You are most welcome!