Lecture on password encryption, hashing, and bcrypt

README.md

How To Safely Store A Password

Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt.

Why Not {MD5, SHA1, SHA256, SHA512, SHA-3, etc}?

These are all general purpose hash functions, designed to calculate a digest of huge amounts of data in as short a time as possible. This means that they are fantastic for ensuring the integrity of data and utterly rubbish for storing passwords.

bcrypt Solves These Problems

How? Basically, it’s slow as hell. It uses a variant of the Blowfish encryption algorithm’s keying schedule, and introduces a work factor, which allows you to determine how expensive the hash function will be.

What is a Salt?

In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" a password or passphrase. Salts are closely related to the concept of nonce. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.

https://github.com/ncb000gt/node.bcrypt.js https://en.wikipedia.org/wiki/Bcrypt https://codahale.com/how-to-safely-store-a-password/

app.js

const bcrypt = require('bcrypt');

// genSalt - the cost of processing the data. (default - 10)\

const saltRounds = 10;
const myPlaintextPassword = 'password';
const someOtherPlaintextPassword = 'not_bacon';

bcrypt.genSalt(saltRounds, (err, salt) => {
    bcrypt.hash(myPlaintextPassword, salt, (err, hash) => {
        // Store hash in your password DB.
        console.log('hash: ', hash);

        // Load hash from your password DB.
        bcrypt.compare(myPlaintextPassword, hash, (err, res) => {
            // res == true
            console.log(res)
        });

        bcrypt.compare(someOtherPlaintextPassword, hash, (err, res) => {
            // res == false
            console.log(res)
        });
    });
});