How to be secure with Bcrypt?
So, let's talk security? You just finished this beautiful-looking website, completely responsive, loads fast, beautiful backend, and performs amazing feats that other programmers could only dream of. Sounds good right?
Good! So you thought about security right? In particular, password security. You did hash and salt that password the user just gave you when they signed up for your beautiful website? If not, I’m going to teach you about Bcrypt, what it does and how you should use it when building your next Sinatra & ActiveRecords web app.
Before explaining Bcrypt, let's talk about bad practices.
Bad Practices
You should absolutely never store passwords in plaintext. What this means is that the password that you type into the form and that’s submitted to your Ruby Sinatra route will be stored inside of your database exactly the way you typed it. This is incredibly dangerous, because if your website is hacked or database has some sort of leak. The hackers will have full access to all of the passwords that your database has stored quickly and easily.
Good Practices
Here’s where Bcrypt comes into play:
Bcrypt is a Ruby gem that works with ActiveRecord gem which takes the password that is being submitted through the form into Params and hashes and salts it.
Hashing:
Hash functions are algorithms that takes input data and performs mathematical operations on input to output the ‘hash’ This hash practically impossible to decipher and return to the original piece of data. Each hashing function is different and has different strengths but that’s a blog for another day.
Salt:
Another crucial standard to password security is ‘salting’. This is the process of adding a random, unique bit of string of characters to the password that can only be tracked by the algorithm itself. This salt value needs to be stored by the website. The purpose of salting is that it allows common and easy passwords that are discovered from the hash to not have others like it discovered immediately because it will still appear as if they are completely different.
Bcrypt both hashes and salts the password. Inside of your Gemfile you will type
Then run bundle install this will install the gem for you. Once this is done. You must create a database table column name with the attribute of :password_digest.
Next we will switch over to the ActiveRecord side of things and go to our models and tell it that this model ‘user’ has_secure_password. This works with bcrypt using ‘macro magic’ to write methods automatically that we can use to perform the tasks we need on our password. We will then be able to store our password using params[:password]
We named our column name :password_digest but this still lets us access it via the name [:password]
Once this is saved accessing the database will return the hashed and salted password and not the plaintext version of it making your beautiful and responsive web app that much more awesome to use!
Cryptography, cybersecurity and encryption were one of my first interests when it came to programming as the topics are immensely deep and complicated. Bcrypt is just one method/function on hashing & salting passwords. There are hundreds if not thousands more. I hope you enjoyed this short read on the basics of these concepts!
