A Brief History of Web Authentication (part 1)
So, you have created a website and want to let users register and sign-in subsequently. The standard flow will be
User Registers with Email id & Password -> You store them in a database -> next time user logs in with Email & Password, you verify them w.r.t the id and password.
I will be going step by step, from basic authentication to a more sophisticated approach.
Let's begin!
what you should have:
- A MongoDB server (mongod) running
- A file structure as shown below
Thes server.js file will have the javascript required to set up the server. We will be using express.js ❤. Register.html will be the register page, signin.html as login page and secret is our secret.html page which only the authenticated users will be able to see. Pretty simple huh!
Hit the command line and enter
npm i express body-parser mongooseIf you run the above file, you will understand that the only way to access secret.html is to log in successfully. So based on user registration, you can store user-specific data (ex: photo, posts, etc) and only they will be able to access them after sign in.
(a) And this is my friend, the most basic kind of authentication.
If you look at the database you can see entries as:
But holy molly, the password is visible, if some hacker sniffs into the database, what will happen? 😓
(b) Well, you know what we can do? Let’s encrypt the password and save it!
npm install mongoose-encryptionThat is all you have to do. mongoose-encryption package will automatically encrypt the password field when saved into the database and decrypt it when read from the database. Such a convenient na? Also remember the “secret” should be an unguessable string must stored in .env file and accessed as:
const secret = process.env.SOME_LONG_UNGUESSABLE_STRING;Now if some bad guy peeks into the database, it looks like
You can see the password is converted into _ct, _ac 😁. But still, there is a catch. Although how much secure we make it, it is vulnerable to attacks, if some leak happens of the security key, it will be a bad day for the company. What could be the solution then 🤔?
What about a solution where user only knows the password, even the owner of the website doesn't know? Pretty interesting, isn’t it! Here my friends comes Mr. Hash Fucntion.
(C) Here comes the next improvement. it's Hashing!
A hashing is a method we convert one data to another by passing it through a hash function, but it is pretty difficult to retrieve the original source from it.
For example, you give me a banana, I peel it, then make a milkshake. It is very computation-intensive to make banana from the milkshake. Making a hash may take a fraction of second but retrieving original data may take up to several years. This makes hash a one-way function.
There are different hash functions:
- md5
- bcrypt
- SHA256 etc
Our idea is to generate a hash from user password and store in database, so if someone gets access to the database he/she will be at a loss 😂. One thing to note that the hash output of the same input will be the same always.
The hash of the string “password” is 5f4dcc3b5aa765d61d8327deb882cf99, irrespective of machine you compute or the time when you computer. So when the user will try to login, we will compute the hash of the password and match it with the database password. In this manner only user will be able to know the password and nobody else 👍.
We will be bcrypt as expert says md5 is 💩.
npm install bcryptNow you can see in the database something like:
Well and good. But still, there is a caveat. Unfortunately, the most used passwords are
- 123456.
- 123456789.
- qwerty.
- password.
- 1234567.
- 12345678.
- 12345.
- iloveyou.
I mean seriously 🤣. Around the world, people are using these things as password. So hackers have come up with a new strategy, which is called “dictionary attack”.
They are pre-computing the hashes of known words, telephone-number and addresses and their permutation and combination. Now they are checking the hashes with possible passwords. And this is piece of cake since “On an NVIDIA GeForce 8400GS graphics processor, 16–18 million hashes per second can be computed(md5)”. And that is a huge number 🙄!
That is why the password strength indicator is such an important thing. Your password should be
- Unpredictable, random
- At least some “X” digit long
- Uppercase + Lowercase
- Special Character
- Numbers
Here is graph of different passwords vs their cracking time(Hacker will be able to hack you 😎😅.
See, how the length of the password matters. Also, observe the exponential growth in time w.r.t the password complexity.
Since most of people are storing password in such a naive manner, engineers come up with an idea of salting. Also if 2 people have a password “iloveyou.” then their hash will be the same. To tackle this, each will be assigned a salt. Then their password will be added with the salt and hash will be computed. This process will be done in “n” number of times defined by computation power we have right now.
your password -> new password 1 = hashFun(your password, salt) -> new password 2= hashFun(new password 1, salt) -> new password 3= hashFun(new password 2, salt) ….”n” number of times, defined by “salt rounds”.
If you see the above code there is a const named saltRounds and it is set to 0. make it 10 and play with it.
const saltRounds = 10;This does not end though. We have now user login secured (at least to some extent😅). Next, we will be talking about sessions, cookies which are essential for secure persistence connection in a stateless protocol like https. So, have a great day, see you soon.
Peace 🤘😎.
