Scribd
Upload
58 views22 pages

490 WDB-Authentication

The document discusses authentication and authorization in web development. It defines authentication as verifying a user's identity, usually with a username and password, while authorization determines what resources a user has access to. It emphasizes never storing passwords directly in a database due to security risks. Instead, it recommends using cryptographic hashing with salts to hash passwords before storage for verification during login.

Uploaded by

Aiko Yukimura
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
58 views22 pages

490 WDB-Authentication

The document discusses authentication and authorization in web development. It defines authentication as verifying a user's identity, usually with a username and password, while authorization determines what resources a user has access to. It emphasizes never storing passwords directly in a database due to security risks. Instead, it recommends using cryptographic hashing with salts to hash passwords before storage for verification during login.

Uploaded by

Aiko Yukimura
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

.HTUA ROF EMIT S'TI .

HTAERB PEED
A U T H

WEB DEVELOPER
BOOTCAMP
.HTUA ROF EMIT S'TI .HTAERB PEED
AUTHENTICATION
.HTUA ROF EMIT S'TI

.HTUA ROF EMIT S'TI


WHAT IS IT?

Authentication is the process of verifying who a


particular user is.
.HTAERB PEED

.HTAERB PEED
We typically authenticate with a username/password
combo, but we can also use security questions, facial
recognition, etc.
AUTHORIZATION
.HTUA ROF EMIT S'TI

.HTUA ROF EMIT S'TI


WHAT IS IT?

Authorization is verifying what a specific user has access to.


.HTAERB PEED

.HTAERB PEED
Generally, we authorize after a user has been authenticated.
"Now that we know who you are, here is what you are
allowed to do and NOT allowed to do"
.HTUA ROF EMIT S'TI .HTAERB PEED
# 1
NEVER STORE PASSWORDS
R U L E
.HTUA ROF EMIT S'TI .HTAERB PEED
R U L E # 1
NEVER STORE PASSWORDS
.HTUA ROF EMIT S'TI

.HTUA ROF EMIT S'TI


{
username: 'kittycatluvr',
password: 'meowmeow999!'
.HTAERB PEED

.HTAERB PEED
},
{
username: 'geckoGuy',
password: 'lizard987'
}
SERVER
CLIENT DATABASE
.HTUA ROF EMIT S'TI

.HTUA ROF EMIT S'TI


LOG ME IN WITH: {
Username: 'geckoGuy' username: 'kittycatluvr',
Password: 'lizard987' password: 'meowmeow999!'
},
.HTAERB PEED

.HTAERB PEED
{
username: 'geckoGuy',
password: 'lizard987'
}
SERVER
CLIENT DATABASE
.HTUA ROF EMIT S'TI

.HTUA ROF EMIT S'TI


LOG ME IN WITH: {
Username: 'geckoGuy' username: 'kittycatluvr',
Password: 'lizard987' password: 'meowmeow999!'
},
.HTAERB PEED

.HTAERB PEED
{
username: 'geckoGuy',
password: 'lizard987'
}
HASHING
.HTUA ROF EMIT S'TI

.HTUA ROF EMIT S'TI


THE SOLUTION!

Rather than storing a password in


the database, we run the password
.HTAERB PEED

.HTAERB PEED
through a hashing function first and
then store the result in the database.
HASHING
FUNCTIONS
Hashing functions are functions that map input data of
some arbitrary size to fixed-size output values.

D70FF0AB9A23EC5DBA9075
'I LOVE CHICKENS' B0E4DEDE8C2972BA933D6D
5ADF3A42ABB6E0D7A2DA

07123E1F482356C415F6844
'LOL' 07A3B8723E10B2CBBC0B8F
CD6282C49D37C9C1ABC
SERVER DATABASE
CLIENT {
username: 'kittycatluvr',
LOG ME IN WITH:
password:'d70ff0ab9a23ec5dba9075b0e4de
Username: 'geckoGuy'
de8c2972ba933d6d5adf3a42abb6e0d7a2da'
Password: 'lizard987' },
{
username: 'geckoGuy',
password:'07123e1f482356c415f684407a3b87
23e10b2cbbc0b8fcd6282c49d37c9c1abc'
}
SERVER DATABASE
CLIENT {
username: 'kittycatluvr',
LOG ME IN WITH:
password:'d70ff0ab9a23ec5dba9075b0e4de
Username: 'geckoGuy'
de8c2972ba933d6d5adf3a42abb6e0d7a2da'
Password: 'lizard987' },
{
username: 'geckoGuy',
password:'07123e1f482356c415f684407a3b87
23e10b2cbbc0b8fcd6282c49d37c9c1abc'
}

'LIZARD987'
SERVER DATABASE
CLIENT {
username: 'kittycatluvr',
LOG ME IN WITH:
password:'d70ff0ab9a23ec5dba9075b0e4de
Username: 'geckoGuy'
de8c2972ba933d6d5adf3a42abb6e0d7a2da'
Password: 'lizard987' },
{
username: 'geckoGuy',
password:'07123e1f482356c415f684407a3b87
23e10b2cbbc0b8fcd6282c49d37c9c1abc'
}

07123E1F482356C415F6844
'LIZARD987' 07A3B8723E10B2CBBC0B8F
CD6282C49D37C9C1ABC
SERVER DATABASE
CLIENT {
username: 'kittycatluvr',
LOG ME IN WITH:
password:'d70ff0ab9a23ec5dba9075b0e4de
Username: 'geckoGuy'
de8c2972ba933d6d5adf3a42abb6e0d7a2da'
Password: 'lizard987' },
{
username: 'geckoGuy',
password:'07123e1f482356c415f684407a3b87
23e10b2cbbc0b8fcd6282c49d37c9c1abc'
}

IT'S A MATCH!

07123E1F482356C415F6844
'LIZARD987' 07A3B8723E10B2CBBC0B8F
CD6282C49D37C9C1ABC
CRYPTOGRAPHIC
.HTUA ROF EMIT S'TI

.HTUA ROF EMIT S'TI


HASH FUNCTIONS
1. One-way function which is infeasible to invert
.HTAERB PEED

.HTAERB PEED
2. Small change in input yields large change in the output
3. Deterministic - same input yields same output
4. Unlikely to find 2 outputs with same value
5. Password Hash Functions are deliberately SLOW
.HTUA ROF EMIT S'TI .HTAERB PEED
AN EXTRA SAFEGUARD
S A L T S
.HTUA ROF EMIT S'TI .HTAERB PEED
PASSWORD SALTS
.HTUA ROF EMIT S'TI

.HTUA ROF EMIT S'TI


OMG THAT'S SO RANDOM!

A salt is a random value added to the


password before we hash it.
.HTAERB PEED

.HTAERB PEED
It helps ensure unique hashes and
mitigate common attacks
B C R Y P T
OUR HASH FUNCTION!
SERVER
CLIENT
DATA STORE
I have a cookie for you! {
id: 4,
Session ID is 4
shoppingCart: [
{item: 'carrot', qty:2},
{item: 'celery', qty:5},
{item: 'taser;', qty:99},
]
}
DATA STORE
{
id: 3,
shoppingCart: [
{item: 'lime', qty:1},
{item: 'la croix', qty:99}, SERVER
{item: 'lemon', qty:2},
]
}, CLIENT
{
id: 4,
shoppingCart: [
{item: 'carrot', qty:2}, Your session ID is 4
{item: 'celery', qty:5},
{item: 'taser;', qty:99},
]
},
{
id: 5,
shoppingCart: [
{item: 'apple', qty:2},
{item: 'onion', qty:5},
{item: 'pear;', qty:9},
]
}

You might also like