Understanding Password Hashing

1. Introduction

Goal

In this tutorial, we aim to demystify password hashing. We will provide an understanding of the importance of password hashing, how it works, and how to implement it in a web application.

Learning Outcomes

• Understand the concept of password hashing and why it's important
• Learn how to hash passwords in a web application
• Learn best practices for password management

Prerequisites

Basic knowledge of web development and programming concepts is required. Familiarity with JavaScript and Node.js is beneficial but not mandatory.

2. Step-by-Step Guide

What is Password Hashing?

Password hashing is a security technique used to store users' passwords as hashed values rather than plain text. This is important because if a database is breached, hashed passwords are much harder to crack than plain text passwords.

How does it Work?

A hash function takes an input (or 'message') and returns a fixed-size string of bytes, which is typically a digest that is unique to each unique input. It is a one-way function, meaning you cannot derive the original password from the hashed output.

Best Practices

• Always use a salt (random data) when hashing passwords to prevent rainbow table attacks.
• Use a slow hash function like bcrypt, scrypt or Argon2.
• Never store passwords in plain text.

3. Code Examples

Let's hash a password using bcrypt in Node.js:

// Import bcrypt
const bcrypt = require('bcrypt');

// Generate a salt
const salt = bcrypt.genSaltSync(10);

// Hash the password
const hash = bcrypt.hashSync("myPassword", salt);

console.log(hash);

Here's what each line does:
- We import the bcrypt module.
- We generate a salt using the genSaltSync method. The 10 is the number of rounds to use, higher is slower but more secure.
- We hash the password "myPassword" using the hashSync method and the salt.
- Finally, we log the hashed password to the console.

The output will be the hashed password which should look something like this:

$2a$10$N9qoB1Q98e4goesjfdQJEOCJ1KfjfhQf3U7478vnJHV089743Ba

4. Summary

In this tutorial, we have learned about password hashing, its importance, and how it works. We've also looked at how to implement password hashing in a web application using bcrypt and Node.js.

Next, you could learn about additional security measures such as two-factor authentication, or how to implement password resetting functionality in your web application.

5. Practice Exercises

1. Hash a different password and compare the result to the first one. Are they the same? Why or why not?
2. Try hashing the same password with a different salt. What happens?
3. Implement password hashing in a simple registration function.

Solutions

1. The hashed passwords will be different because even a small change in the input produces a drastic change in the output.
2. The hashed password will be different because a different salt is used. This demonstrates how salts prevent rainbow table attacks.
3. Here's an example of a simple registration function:

function register(username, password) {
  const salt = bcrypt.genSaltSync(10);
  const hashedPassword = bcrypt.hashSync(password, salt);

  // Save the username and hashed password to the database
}

In this function, we take a username and password as input, hash the password as we did before, and then pretend to save the username and hashed password to the database.