Tales from the bcryptjs library: Cryptography and Securing Passwords
In sixth grade, I created a cipher for the alphabet and convinced my closest friends to memorize it so we could pass each other notes unreadable by teachers and other students. Though I didn’t know it at the time, we were practicing basic cryptography.
Cryptography is the practice of protecting information through the use of codes so that the message is readable to only the intended recipient. The first known evidence of cryptography is 1900 BCE when unusual hieroglyphics were carved in the tomb of the nobleman Khnumhotep II and were not intended to hide a message, but instead were employed to make the message seem more “dignified”. Cryptology as we know it aided early civilizations, such as Indian spies as mentioned in the “Arthashastra” in 300 BCE, and two hundred years later, Julius Caesar encrypted messages to his army generals. In modern history, Germany famously developed the Enigma machine to encrypt messages to its troops and allies, and the Zodiac killer created a cipher used to intimidate and perplex the San Francisco Police Department and the public.
In the era of cyberattacks, governments and the tech field alike recognize there is an increased need for investment in cybersecurity. It is important that we as software developers provide users with a platform that prioritizes securing data with which they provide, as we have seen malicious actors are looking to obtain and take advantage of this data. One of the simplest ways we can protect user data is by hashing their passwords upon registration to our applications. I will demonstrate for you how this can be accomplished.
This example assumes your server and database are up and running. Note: I am employing a PERN (Postgres, React, Express, NodeJS) stack. Let’s also go over some important vocabulary: salt and hash.
Salt — A random string of characters to concatenate to the plain-text password. The longer a salt is, the longer it takes for a hash to be created. I have seen safe salt rounds to be 8–10 characters (but do your research and determine the best length based on your application’s security needs!!).
const examplePassword = "biscuits";
const salt = "3z90b6c3j";
const saltedPassword = "biscuits3z90b6c3j";Hash — A random, unreadable, encrypted string of characters generated by a cryptographic algorithm. Can be decrypted.
const saltedPassword = "biscuits3z90b6c3j";[After we run the salted password through a hashing algorithm...]const hashedPassword = "$2a$10$p9kAKPlRMGGY11TYpj2KcOaj.oRTJdDRKMqHK8RwVDgI7JXxu4JZe"
- Install bcryptjs. You can also use the bcrypt library, but I like bcryptjs because it auto-generates a salt for you.
npm install bcryptjs2. Set up your Express router and require bcryptjs.
3. Create a route to your registration. Deconstruct the information you want to save to the database from the request body.
4. Our first call to the database will check if the user we are creating is already registered in the database. Using Sequelize method, .findOne, we compare the email the user is attempting to register with all other emails in the database.
5. Set conditions. If the user is not found, then hash their password. As shown below, bcryptjs will take care of salting the password, and we set the number of salt rounds as an argument. Remember to save the hashedPassword instead of the plain-text password the user entered.
const hashedPassword = await bcrypt.hash(password, 10);Note code below: I set a condition ensuring the user entered a password with a length greater than six characters. This is optional, along with the condition checking if an email was entered.
For logging in, the code follows similar logic. Here is the code for logging in.
Note the following code:
const validPassword = await bcrypt.compare(password, user.password);Bcryptjs compares the plain-text password entered by the user logging in with the hashed password stored in the database. The algorithm here decrypts the hashed password back to plain-text to compare with the human-friendly readable password. Cool, huh?!
This concludes my tales from the bcryptjs library! Happy crypting, ghouls and goblins!
