What is user authentication?
User authentication is the process of confirming a user’s identity. This is usually done through a user ID and password, but can be done through a variety of other attributes (i.e. given name, birthday, etc). In Goals App that I built using Sinatra, the user inputs a string for their email and a string for their password. The database could store this information as plain text, as it receives it in plain text, but this would leave the database open to attackers if they were to access the username and password database.
What happens if you don’t use authentication?
Without authentication, it is more likely that a hacker would have a successful attack on your database. Additionally, if a user or a few users use the same login credentials on your site as they do on other sites, a hack on your app or website could result in a case of identity theft. As the creators of Bcrypt elaborate in their READ ME, “It’s your responsibility as a web developer to make your web application secure — blaming your users for not being security experts is not a professional response to risk.”
How do we mitigate this risk?
By using a hashing algorithm, in this case Bcrypt, we can set up authentication on our site and make it more secure. Bcrypt allows us to run our passwords through a hashing algorithm and store them in a more secure way, decreasing the likelihood that a hacker would be able to obtain the password.
What is a hashing algorithm?
A hashing algorithm is an algorithm which manipulates data in a way so that it cannot then be reversed to its original data. In the case of Bcrypt, the password is salted, then passed through a hashing algorithm.
What is salt?
Salt is a cryptographically strong random value, or a small chunk of random data, that is added to the input of hash functions to make sure that a unique hash for every input is created. The salt is then stored along with the hash in the database.
Why is salting important?
A hash function without salt may always produce the same output when given the same input, since it has a deterministic nature. It would be easier for an attacker to easily predict the hash given this nature. We want the information we store to be less easily predictable. Bcrypt automatically handles the generation and storage of the salts.
What is Bcrypt?
Bcrypt is an authentication gem that allows you to harden your application against attacks that intend to steal username and password information, using salt and hash. Bcrypt allows us to use the method has_secure_password (in our User model) and .authenticate (in our user controller).
How does bcrypt store passwords?
Bcrypt will store a salted, hashed version of passwords in the database column named password_digest. Since the version that is stored has been passed through a hashing function, and also includes salt, it cannot be manipulated back to the original and is therefore more secure.
How do we use .authenticate?
Bcrypt allows us to use the .authenticate method in the user controller. The method .authenticate matches the password that was entered into the params hash to the salted password saved in the database.
What is has_secure_password?
Once bcrypt is added into your gemfile, it is important to add has_secure_password to your User class as an association. Has_secure_password is an activerecord macro. A macro is a method that you can call to create other methods. We include has_secure_password in the User model and are able to call it as we would any other ruby method.
What does has_secure_password do?
Has_secure_password is a method that takes the password attribute that the user enters and converts it to password_digest, which is how it is stored.
Can hackers still access this data?
Hackers trying to access this data would have to use the brute force approach. It would still be possible but more difficult. Bcrypt would force the hackers to increase the amount of work and time required to get the information, and would lessen the odds that they would be able to carry this out successfully. Bcrypt is also intentionally slow for this reason. Bcrypt is designed to be computationally expensive, so that it would take more time for a hacker to attempt multiple passwords in a rainbow table attack.
