When logging into your email account, the last thing on your mind is if your password is secure and safe. You expect, as a user on a site, for it to be secure and safe, right? According to Wikipedia, most data breaches occur in North America. It’s estimated the average cost of a data breach will be over $150 million by 2020. What about globally you ask? Well the annual cost forecast could be up to $2.1 trillion…Trillion!!
Recently, while working on a Sinatra project as a student at Flatiron School, I learned the four steps to increasing security for a User’s password. They are
Let’s look at
bcrypt first. What’s the importance of it?
Bcrypt is a dependency of
ActiveRecord. By adding this to your gem file, it will crate a hashing algorithm allowing you to store a secure hash of your user’s password. Ok…so what does that mean? Well, it will take the user’s password and generate random data around it which is called a salt.
Bcrypt will then store this value into a hash and anytime the user wants to log in,
bcrypt will compare the user’s log in to the encrypted hash. If that hash is equal to the original data, ta-da! you have successfully logged in! Another thing to note, when the
has_secure_password method is invoked, that’s when the magic of
bcrypt starts to work! We’ll get into
bcrypt can be downloaded just by going into your terminal and typing
gem install bcrypt.
Here is some seed data that I have in my project that shows the user’s password and what it looks like salted.
In my project,
password_digest is found in my user’s migration table.
So you might be asking yourself, “Why not just use password in my user’s table?” Well,
password_digest as the password column, and thus knows to encrypt that column. You will use
:password as a way to receive in params in other forms like a
user_controller. This is kinda confusing, but the more you understand the flow of your application, the better sense it will make!
Let’s talk about the method
has_secure_password. This is another macro that is provided by
ActiveRecord. This method will be added in with any class that requires a password (i.e. the
User class). This method is what invokes the salting and hashing process!
Another great addition to the
has_secure_password method is that we receive a method called
.authenticate. This allows us to authenticate passwords that are being passed in from a user. In addition to the
has_secure_password also gives us
password=. This method gets called on when the user creates an account or logs in.
bcrypt to create the
password_digest that will get stored into the database. This is why your input
<input type="password" name="password"> is called..password. You want the
password= method to be called on in order to create
In my Sinatra project, my
login.erb form receives the data passed in from the user.
This fires off a post request to my “/login” path in my user_controller. If the name, email, and password are passed in as true (this is where the
.authenticate method is invoked), the instance user.id is stored in a session and our user will be logged in!
So let’s recap :
bcrypt is a ruby gem that is needed to salt and hash a password. (Remember to add it to your Gemfile!) It’s also a dependency of
ActiveRecord. So when
has_secure_password is invoked,
ActiveRecord depends on
bcrypt for it to all function properly.
has_secure_password is a method that comes from
ActiveRecord. It placed in a class that needs to store a password (User class), and it is what invokes the salting and hashing process. It also gives us
password=, which uses
bcrypt to create the
password_digest that will get stored into the database.
password_digest is what is needed in order for
bcrypt to recognize which column in our user’s table is needed to be salted.
.authenticate is a method that we get from
has_secure_password , which then takes in the password params of a user.
Hopefully by reading this, it gives you a better understanding on how important securing passwords really is. By implementing this process into a project or a future endeavor, it can give your users the peace of mind they expect (even when they’re not!).