no whiteboard , no diagram, no presentation, no animation just code and straight talk at 2x and yes we all understood.Thnak you for such nice explanation
Apparently there is also the concept of peppers (a fixed value stored in the server to append to each password) on top of salt. Are there anything else used in the modern day "best practices"?
Can someone explain me how bcrypt works (especially when we are comparing a hash with a text plain password ) ? I dont speak english, i cant undrestand the video
Love this explanation. Not only you explained the how, but the why. A lot of times we are working with stuff, but we don't really understand the behind the scenes. This explains it in case of what bycript does for us.
This is the first explanation I've heard that I can actually understand. Most of the time people abbreviate the hard parts or give an answer that's too complicated to pick apart. Thanks for the video.
Oh man, every single question I had about bcrypt and salts was answered in this video! Really appreciate walking through from bad to best practice and explaining why each step is better than the previous.
lol was definitely a lot to follow and keep up with but this was exactly what I needed . I wanted to figure out a way to use compare and check the user password and hash password to log a user in but since I love to learn how things work and the process I stumbled upon this video. I got a full understanding how Hashing and Salt works and the answer to my problem. Thank you soooo much !!
Thanks, 14:52 is the explanation I was looking for - the output bcrypt creates contains both the hash and the salt concatenated (plus the number of salting rounds), therefore there is no need to store the salt separately when building an application.
So basically, Hacker can still get access to the salt and the hashes and figure out the password but he would have to create his own rainbow table for that specific salt which would be infeasible for him. Thankyou for the explanation!!
Thanks sir you really explained it well and with every ounce of knowledge. I really appreciate your work and really wish if teachers at my university would have been like you.
Only thing I don't understand is why we even bother with the salt if we append it to the hashed password and then store it in the DB... is it because the hackers won't know the length of the salt? Or is it because any random salt at all makes the rainbow table useless? Regardless, very good tutorial. You explain things well.
Very complete, clear and answered all of my questions. Exemplary video. If I may, why did you opt for bcryptjs over bcrypt? For the lack of dependencies?
Thank you! Honestly I cant remember the exact reason why I chose the js version here in this video, but typically in a real project, going with the JS version does make things simpler. I had an instance where I was trying to deploy code to AWS lambda with the non JS version and it was giving me major issues.
This may be stupid question, but if the salt that has been used is stored in the DB why can't the hackers just use that information to run through the common passwords. Is this unavoidable and this is just a way to make it more time comsuming for the hackers?
thanks for this great video. I have a couple of questions. Is the salt also stored in the database somewhere? Or is it always some fixed length, say n, and the comparison is made without the last n characters in the hash with the salt? In other words, how is the salt removed? Also why do the salts in this video always start with a$10$?
You mentioned while comparing the password bcrypt take the salt out from the hash stored in the database and attaches it to the password that user has entered and then creates the hash for comparing both the has one present in the database and one that user has entered, but how does bcrypt know what is the start index and the end index of the salt to get the salt out of the hash i.e. stored in the database.
Hello, this is the only video that i got to understand bcrpyt. thank you for that. i have a question. does this mean i'll have to pull the hash from the database then compare it back in nodeJS?
So if I get it right if the hacker knows where the salt begins and where it ends (since bcrypt is an open source package) we're back to the initial spot where they can just use the rainbow tables again, right?
@@CodingWithChaim but we can see on bcrypt repo that the salt has 16 chars and that the stored password will be the sequence of salt+password so the hacker doesnt need to "crack" the salt hash, they just need to take it off. Am I missurderstanding something?
@@alexsinx the salt gets added to the user’s password and then the combined string gets hashed. This means the resulting hash will not show up in a rainbow table
Seems reasonable to me too. If a hacker knows the hash() function and salt, he still can create rainbow tables. It should look like this: rainbow table = "salt "+ hash( "salt" + "popular_password") But hacker need to create a new table for every "salt".
Thank you so much for this video, my 80% confusion is clear now but I am still having doubts about the hacker's technique, can't they use the same bcrypt method and apply their RANMBOW thing on it while logging in? but many things are clear with your video thanks a lot:)
So theoretically, if a hacker got access to your database, couldn't they make a rainbow table out of the normal passwords hashed with the first 27 characters of your stored password (aka your salt)? Or is the idea that that takes so long that it isn't feasible?
no whiteboard , no diagram, no presentation, no animation just code and straight talk at 2x and yes we all understood.Thnak you for such nice explanation
This might be the single best programming video on RUclips...
Finally!! Thank You!. I was loosing my mind thinking how bcrypt knows what salt was used when comparing. now I know
Apparently there is also the concept of peppers (a fixed value stored in the server to append to each password) on top of salt. Are there anything else used in the modern day "best practices"?
Can someone explain me how bcrypt works (especially when we are comparing a hash with a text plain password ) ? I dont speak english, i cant undrestand the video
@@dontqsy5101 14:52
Love this explanation. Not only you explained the how, but the why. A lot of times we are working with stuff, but we don't really understand the behind the scenes. This explains it in case of what bycript does for us.
Wow, you just explain an entire 2 weeks of my college security course in 17 minutes. Thank you much, sir
This is the first explanation I've heard that I can actually understand. Most of the time people abbreviate the hard parts or give an answer that's too complicated to pick apart. Thanks for the video.
Oh man, every single question I had about bcrypt and salts was answered in this video! Really appreciate walking through from bad to best practice and explaining why each step is better than the previous.
lol was definitely a lot to follow and keep up with but this was exactly what I needed . I wanted to figure out a way to use compare and check the user password and hash password to log a user in but since I love to learn how things work and the process I stumbled upon this video. I got a full understanding how Hashing and Salt works and the answer to my problem. Thank you soooo much !!
Great video! Explained everything I wanted to know. Had to watch at 0.75x speed though cause I couldn't keep up lol
Fine job explaining bcrypt! You answered all the burning questions I had about how this works! Thank you and keep sharing!
Thanks, 14:52 is the explanation I was looking for - the output bcrypt creates contains both the hash and the salt concatenated (plus the number of salting rounds), therefore there is no need to store the salt separately when building an application.
yep, me too!!
Now this is the best explanation I've gotten on the subject. And you talk fast too. Awesome. I'm subscribing right away
The best explanation, every single question I had about bcrypt and salts was answered in this video.
Thankyou
last part is video is what i was looking for. Awesome explanation! ! !
Fantastic explanation, especially on the comparing of existing hashes which is the part I was confused about. Thank you!
So basically, Hacker can still get access to the salt and the hashes and figure out the password but he would have to create his own rainbow table for that specific salt which would be infeasible for him. Thankyou for the explanation!!
You are the real gem we need in this world😍
Thank you for actually explaining what it is!
Pleasure
Thanks sir you really explained it well and with every ounce of knowledge. I really appreciate your work and really wish if teachers at my university would have been like you.
Brilliant and straight to the point . Thanks you
Awesome, Awesome explanation! Clarified everything. Exactly what i was looking for!!! Thanks!!
Only thing I don't understand is why we even bother with the salt if we append it to the hashed password and then store it in the DB... is it because the hackers won't know the length of the salt? Or is it because any random salt at all makes the rainbow table useless? Regardless, very good tutorial. You explain things well.
Best explanation I have yet seen.
this so amazing you deserve a lot of suscribers
excellent video, got rid off all my doubts
Hey !! what a amazing viedo !!! Really man, that was full of knowledge ...Thanks
Had to hit the like and subscribe button.
This was masterfully done.
Thank you very much.
Explained very well with no BS thanks
היי
תודה לך
ממש מגניב שמצאתי את הערוץ שלך
thank you so much
it's very useful
Awesome video! Clear explanation! Thank you so much
Exactly, I had this question in my mind, thank you for answering
excellent presentation. very clarifying what happens when someone forgets their password?
Very complete, clear and answered all of my questions. Exemplary video. If I may, why did you opt for bcryptjs over bcrypt? For the lack of dependencies?
Thank you! Honestly I cant remember the exact reason why I chose the js version here in this video, but typically in a real project, going with the JS version does make things simpler. I had an instance where I was trying to deploy code to AWS lambda with the non JS version and it was giving me major issues.
@@CodingWithChaim I’ll go for the js version then ahah, thanks again! Have a nice day :] (you got a new sub btw)
Thank you! Welcome to the channel
Really well explained. Great video, thanks 🙏
This may be stupid question, but if the salt that has been used is stored in the DB why can't the hackers just use that information to run through the common passwords. Is this unavoidable and this is just a way to make it more time comsuming for the hackers?
Don't know how to thank you for this video.
Glad it helped
Well explained, Chaim so good :)
Great explanation, just loved it
thanks for this great video. I have a couple of questions. Is the salt also stored in the database somewhere? Or is it always some fixed length, say n, and the comparison is made without the last n characters in the hash with the salt? In other words, how is the salt removed? Also why do the salts in this video always start with a$10$?
Very helpful explanation. Thank You!
You mentioned while comparing the password bcrypt take the salt out from the hash stored in the database and attaches it to the password that user has entered and then creates the hash for comparing both the has one present in the database and one that user has entered, but how does bcrypt know what is the start index and the end index of the salt to get the salt out of the hash i.e. stored in the database.
Bcrypt is the one that appends the salt to the hash so they know where it is
Iam shocked this video only has 2k views !
Amazing explanation . Thank you so much!
Sir really thanks for explaining this
Good explanation. Thanks!
Awesome, Awesome explanation! Clarified everything. Thanks!!
You are most welcome!
Excellent explanation!
Hello, this is the only video that i got to understand bcrpyt. thank you for that. i have a question. does this mean i'll have to pull the hash from the database then compare it back in nodeJS?
correct
So if I get it right if the hacker knows where the salt begins and where it ends (since bcrypt is an open source package) we're back to the initial spot where they can just use the rainbow tables again, right?
No because the salt is totally random and is hashed.
@@CodingWithChaim but we can see on bcrypt repo that the salt has 16 chars and that the stored password will be the sequence of salt+password so the hacker doesnt need to "crack" the salt hash, they just need to take it off. Am I missurderstanding something?
@@alexsinx the salt gets added to the user’s password and then the combined string gets hashed. This means the resulting hash will not show up in a rainbow table
Seems reasonable to me too. If a hacker knows the hash() function and salt, he still can create rainbow tables.
It should look like this:
rainbow table = "salt "+ hash( "salt" + "popular_password")
But hacker need to create a new table for every "salt".
Well done - great video
Thank you so much for this video, my 80% confusion is clear now but I am still having doubts about the hacker's technique, can't they use the same bcrypt method and apply their RANMBOW thing on it while logging in? but many things are clear with your video thanks a lot:)
Great explanation. Thank you
Amazing Stuff!!
thanks for really interesting video Chaim!
You’re welcome!
Amazing explanation, thank you sir
You’re most welcome!
stat from 13:30 for the comparing scenario
So theoretically, if a hacker got access to your database, couldn't they make a rainbow table out of the normal passwords hashed with the first 27 characters of your stored password (aka your salt)? Or is the idea that that takes so long that it isn't feasible?
u r a gr8 teacher
great content man...
Thanks a lot for this.
bcrypt should be used in the frontend and then the hash should pass through network and stored in the db right?
No. The password is sent in plain text to the server and then hashed on the server.
14:52 Thank you!!!
Incredible.
Thanksalot sir!
you are amazing
Thanks!
Great explanation! But talking a bit slower would make it even more perfect ;)
Thank you.
On point
Thank you
nice!
in just 17 mins i got a cyber security degree, lol jk i don't think its this simple XD.
thanks
It's practically infeasible to go back to the value from a cryptographic hash
I am completly dizzy !
😳
Lechaim
Andrew Tate must have learned from him.
you really speak very fast
bro you talk faster than eminem. Calm down please.
Speaking very fast
you talk too much
Excellent explanation thanks a ton!
Awesome, Awesome explanation! Clarified everything. Thanks!!
You are most welcome!