Readings: Authentication
Readings
Explain to a non-technical friend how you would safely hash and store a password.
Hashing a password is converting a password into a long string of random capital and lowercase letters. The only way to recreate those random characters is by providing the same input as the password. Therefore, only the hashed value should be stored in a database, not the actual password. When an input is provided for a password, that attempted input will be hashed and compared with the hashed value stored in the database; if one character were wrong during the input, the entire hashed value would be completely different.
What is Bcrypt?
Bcrypt is an adaptive hash function based on the Blowfish symmetric block cipher cryptographic algorithm and introduces a work factor (also known as security factor), which allows you to determine how expensive the hash function will be.
Bcrypt is the hashing function that the input is passed into to begin the hashing process.
###Why might you use something like Bcrypt?
Bcrypt is resistant to Hash Collision Attacks due to the unique hashes generated by Bcrypt. Therefore, storing passwords directly in a database should never be an authentication solution.
What is Basic Authentication?
Authentication is the process of verifying that an individual, entity, or website is who it claims to be.
Authentication is ensuring the person requesting data is who they say they are and providing authorization for data.
What properties are necessary for the header of a Basic Auth request?
The basic credentials are provided in the header with the ID and password joined with a :
How are username:password in Basic Auth encoded?
in the header, username:password are encoded in Base64
Define the authentication process for a non-technical recruiter.
The authentication process is performed when a user provides an id:password in a request to log in. The password id is compared to ids in a database, if a match is found, the password is hashed and compared to a list of hashed passwords, and if a match is found again, the server will give the user a session cookie and authorize the user for the specific data they are allowed to view.
How should your error messaging respond (both HTTP and HTML)? Why?
The message should feel generic and not tell the user if the username or password is explicitly incorrect. It should say the Username or password is wrong, regardless of if the account even exists, to prevent giving a potential hacker more information about a user.
What are your learning goals after reading and reviewing the class README?
My goals are to understand Bcrypt and the syntax needed to hash and store passwords and user data.