The Importance of a Secure Password
When logging into your email account, the last thing on your mind is if your password is secure and safe. You expect, as a user on a site, for it to be secure and safe, right? According to Wikipedia, most data breaches occur in North America. It’s estimated the average cost of a data breach will be over $150 million by 2020. What about globally you ask? Well the annual cost forecast could be up to $2.1 trillion…Trillion!!
Recently, while working on a Sinatra project as a student at Flatiron School, I learned the four steps to increasing security for a User’s password. They arebcrypt, password_digest, has_secure_password, and .authenticate.
Let’s look at bcrypt first. What’s the importance of it? Bcrypt is a dependency of ActiveRecord. By adding this to your gem file, it will crate a hashing algorithm allowing you to store a secure hash of your user’s password. Ok…so what does that mean? Well, it will take the user’s password and generate random data around it which is called a salt. Bcrypt will then store this value into a hash and anytime the user wants to log in, bcrypt will compare the user’s log in to the encrypted hash. If that hash is equal to the original data, ta-da! you have successfully logged in! Another thing to note, when the has_secure_password method is invoked, that’s when the magic of bcrypt starts to work! We’ll get into has_secure_password later.
The gem bcrypt can be downloaded just by going into your terminal and typing gem install bcrypt.
Here is some seed data that I have in my project that shows the user’s password and what it looks like salted.
In my project, password_digest is found in my user’s migration table.
So you might be asking yourself, “Why not just use password in my user’s table?” Well, bcrypt recognizes password_digest as the password column, and thus knows to encrypt that column. You will use :password as a way to receive in params in other forms like a user_controller. This is kinda confusing, but the more you understand the flow of your application, the better sense it will make!
Let’s talk about the method has_secure_password. This is another macro that is provided by ActiveRecord. This method will be added in with any class that requires a password (i.e. the User class). This method is what invokes the salting and hashing process!
Another great addition to the has_secure_password method is that we receive a method called .authenticate. This allows us to authenticate passwords that are being passed in from a user. In addition to the .authenticate method, has_secure_password also gives us password=. This method gets called on when the user creates an account or logs in. password= uses bcrypt to create the password_digest that will get stored into the database. This is why your input <input type="password" name="password"> is called..password. You want the password= method to be called on in order to create password_digest.
In my Sinatra project, my login.erb form receives the data passed in from the user.
This fires off a post request to my “/login” path in my user_controller. If the name, email, and password are passed in as true (this is where the .authenticate method is invoked), the instance user.id is stored in a session and our user will be logged in!
So let’s recap :
bcrypt is a ruby gem that is needed to salt and hash a password. (Remember to add it to your Gemfile!) It’s also a dependency of ActiveRecord. So when has_secure_password is invoked, ActiveRecord depends on bcrypt for it to all function properly.
has_secure_password is a method that comes from ActiveRecord. It placed in a class that needs to store a password (User class), and it is what invokes the salting and hashing process. It also gives us password=, which uses bcrypt to create the password_digest that will get stored into the database.
password_digest is what is needed in order for bcrypt to recognize which column in our user’s table is needed to be salted.
.authenticate is a method that we get from has_secure_password , which then takes in the password params of a user.
Hopefully by reading this, it gives you a better understanding on how important securing passwords really is. By implementing this process into a project or a future endeavor, it can give your users the peace of mind they expect (even when they’re not!).