Return to Video

Password Hashing - Web Development

  • 0:00 - 0:03
    Okay, so we spent a lot of time talking
  • 0:03 - 0:06
    about how to use hashing and, and the hmac
  • 0:06 - 0:09
    variant of hashing to make cookies that won't be
  • 0:09 - 0:14
    tampered with. Let's talk about using passwords for hashing. So,
  • 0:15 - 0:17
    say we have a table for users in our
  • 0:17 - 0:20
    database, and this table has a couple columns. One column
  • 0:20 - 0:23
    is for the user's name. And another column is
  • 0:23 - 0:26
    for the user's password. If we wanted to verify a,
  • 0:26 - 0:27
    a user is valid we might have a function that looks
  • 0:27 - 0:30
    like this. You know, and this would be called when somebody
  • 0:30 - 0:34
    logs in, and it problably say like, user, you know, equals
  • 0:34 - 0:36
    get user, where this is some function that gets the user
  • 0:36 - 0:38
    from the database. And then we'd say, you know, so if
  • 0:38 - 0:42
    this user exists and this user's password equals pw, what was
  • 0:42 - 0:46
    passed in, return user, and that's, and that's simple enough. Now,
  • 0:46 - 0:51
    the problem with this approach is that if your database gets
  • 0:51 - 0:54
    compromised, you are in trouble. You gave away all of
  • 0:54 - 0:57
    your users' passwords. Which means, not only are your users
  • 0:57 - 1:01
    angry, because you compromised their privacy your website is in
  • 1:01 - 1:04
    trouble, because you've got bad guys logging in, screwing around
  • 1:04 - 1:07
    with all people's accounts, because they know everybody's passwords. So
  • 1:07 - 1:10
    that's a really bad situation. So what we want to
  • 1:10 - 1:12
    do is, instead of storing these plain text passwords in
  • 1:12 - 1:16
    our database, we'll store a password hash in our database.
  • 1:16 - 1:24
    So we'll have h of hunter two and h of Metallica. And if our
  • 1:24 - 1:29
    database is compromised, all the attacker has is a bunch of a bunch of password
  • 1:29 - 1:31
    hashes, and you know, it's very, very
  • 1:31 - 1:35
    difficult, basically impossible, to turn the hash of
  • 1:35 - 1:38
    this into the actual input parameter. This
  • 1:38 - 1:41
    this function changes a little bit, so instead
  • 1:41 - 1:45
    of comparing pw to the password field in the database,
  • 1:45 - 1:48
    we compare hash of pw to the password hash in the
  • 1:48 - 1:53
    database. And all a sudden we're in a much better situation.
  • 1:53 - 1:55
    This takes very little work, and your database doesn't have any
  • 1:55 - 1:58
    plain text passwords in it. And if your database does get
  • 1:58 - 2:01
    compromised, all the attacker has is a bunch of hashes and
  • 2:01 - 2:04
    not a, not a bunch of valuable passwords. So, this is
  • 2:04 - 2:07
    a very important strategy that you should employ when building user
  • 2:07 - 2:10
    registration systems, such as on this week's homework
  • 2:11 - 2:13
    but before we get there, let's do a quiz.
Cím:
Password Hashing - Web Development
Leírás:

12-40 Password Hashing

more » « less
Video Language:
English
Team:
Udacity
Projekt:
CS253 - Web Development
Duration:
02:14
Udacity Robot edited Angol subtitles for 12-40 Password Hashing
Udacity Robot edited Angol subtitles for 12-40 Password Hashing
Cogi-Admin edited Angol subtitles for 12-40 Password Hashing

English subtitles

Felülvizsgálatok Compare revisions