π Add to Chrome β Itβs Free - YouTube Summarizer
Category: N/A
No summary available.
00:00
it's time to focus on encrypting your passwords now what I'm talking about is when you go back to database of course we do have now users in the in the database uh in fact we have added few users right and if I want to show you the users if I say select star from
00:15
users here in the database and if I hit the query these are our users the problem here is I can see the passwords okay imagine you are running some huge applications a critical application and then uh you open your database and you
00:30
can see the users password and most of us use the same password on multiple platform not a good idea okay can never do that but yeah people do that right so they have the same password on multiple platform so that's how you get hacked right u i mean not just one thing where
00:48
if I have the if I a database administrator if I can see the passwords that's one risk but what if you are using certain application and then most of the application which are using are safe this particular application is not safe and uh someone was able to hack it
01:04
they got your password and then they using this passwords everywhere so again don't do that don't use the same password everywhere but again the problem here is we are not encrypting the password you can still say it so what's the ideal way here what I can
01:19
think about is uh let me just go back to my ID and let's use some area to type what I'm what I'm talking about uh okay which is empty file so this is this looks like empty file right so I will just just use this area so what we can do is we can take a plain text from the user okay so user will say n add 1 to
01:36
three and before I store that in database what I can do is I can simply encrypt it right so we can get a cipher format so we got a cipher text in the database if a user is trying to basically verify you can convert that Cipher text into plain text and then you
01:52
can verify right that's one way but the problem is when you talk about encryption like cryptography we use a key there right and using a key you can basically do this encryption and decryption but the problem is what if the key gets leaked and of course for all the users you'll be using the same key if one password is compromised and
02:10
if someone got the key they can basically get all the passwords uh we don't want that right so instead of creating a cipher text what if you can create a hash of it now what is hashing so basically hashing is one way so if you get a plain text you run some algorithm on it let's say sha or md5 and
02:29
then you find a hash hash is like a fingerprint for a text for me this is this is my fingerprint and imagine if I change any part of my body let's say if I remove this specs the fingerprint fingerprint should change that's how basically hashing Works um and you can't get back so from the fingerprint you
02:45
can't get the person but from a person you can get the fingerprint that's how hashing works so from the plain text you can get the hash but from the hash you can't get the plain text and we we can use different algorithm to achieve that one of the algorithm is s 256 but you can do that only once right you can run
03:01
you can run one round but what if you can do multiple times same thing you know uh get the Plaine text run the algorithm get the hash run the algorithm on the hash and again you will get a new hash so let's say this is Hash one again you run the algorithm you got hash two and multiple times how many times maybe
03:17
10 15 20 100 Millions so if you do it more and if if it takes some time for the computation of course you can secure it and to achieve that we are going to use something called bcrypt okay so let's head back to the browser and here
03:35
I want to search for uh B bcrypt generate password there are different websites we can go through uh one of the thing which I use is sometime I use BPT online or browser link so let me go to browser link or how do you pronounce it browser link browser link doesn't matter
03:51
so here we got this bcrypt password generator so basically it finds the hash and you can do multiple rounds for it okay so let me let me just enter the password let's say if I say n at rate 1 2 3 and if I click on bcrypt you can see it is generating a password for you so
04:07
basically not a password but the hash value of it and this is the hash value so from the password or from the text you can get the uh hash value but not other way around so you can't basically get uh the the text from the hash and
04:22
you can see it is uh World simplest online bcrypt hasher okay I'm not sponsored by this link I hope they will soon but yeah we got this we got this thing here but if You observe we have one more thing which is rounds as I mentioned before you can talk about the rounds right one round two rounds so it
04:38
says 10 it does it mean 10 Rounds no it's actually two the power of 10 Rounds you can imagine how big the number is and we can also go for 12 rounds and we are going to use 12 rounds and if you see when I change that number observe this with with 10 Rounds it gives you
04:54
this text uh this is a type of bcrypt so there are different types we can use or different versions We can use this is 2 a there's also 2 y the different versions and this 10 here means the rounds so if I say 12 now if I could click on big rpt you will get a
05:11
different number so you can see we got 12 here and the hash also changes so the bigger number it is difficult to crank but again by doing this you might be thinking what if I say 100 and I want to make it more secure you can do that you can click on bigp and okay it exceeds the limit but let's say if you give a
05:26
bigger number and you have no idea okay it's still calculating that's a problem you can see I clicked on bcrypt it is still calculating it imagine you are using this on your server and every time a user login you will run all this number of rounds on your server imagine
05:43
the bill as well if you're using Amazon imagine for even verifying a user you will they will pay they will charge you a lot and that's why is not a good number and still it's still not going ahead maybe I can go with 15 if that works and I hope it will come back Gone Gone you just we'll try with again some
06:00
text here round let's say 15 so the higher the number it will take more time you can see it is still calculating uh so better 10 12 works and we're going to use 12 again I'm okay we got 15 so yeah it takes time so don't go for the bigger number 12 works and I will stick to 12
06:17
click on bcrypt and this is the thing okay now once we understood this now what you have to do is you have to implement this in our project so that every time my user is logged in or every time my user creates an account at that time when you ask for the password don't store the plain text so that means we
06:33
have to do two things one we have to implement bcrypt when a user register and we have to implement bcrypt when also we are validating it so let's do for the registration and as you can see in the project we have not done the registration part yet in the earlier video we had the user in the database
06:49
right so we went for some SQL query and where is our PG admin it's here let me make it full screen browser full screen yeah so we already have this values but now I want to create cre a new user so what I will do is I will go back here to the code and let's create a controller
07:05
for this so for the creation we'll create a Java class and we'll say user controller and in this basically first of all we have to make this as a rest controller that's the first thing and next I want to register a user so I will say public I want to return the user and
07:22
the class we're using is users not user and we have to import the package for this again the reason I'm using users not user user makes sense but then if you say User it's a inbuilt class inside uh Spring Security so sometime you will import some wrong package and it will
07:38
give you errors and that's why on the saf side I'm going to users normally we use user and I will say register and while you're registering it of course you will receive the data from a client so I will say request body and users user and we have to also pass the post mapping because we are submitting data
07:54
from the client and this will be/ register okay now here here basically the first thing I'm going to do is I'm going to return the user itself as it is but don't you think I want to store this in database that's our aim okay so to do that I will need a
08:10
service layer so I will go back to my service and here I will create a new class a user service class I will say users oh do we have user service no we don't user service and the job of user service is just to accept that particular request right so it will
08:25
return the users and I will say uh sa user or maybe we can say register itself register and this will basically take the object of users user and who will store this in database of course service is accepting
08:41
it and I forgot to write service yeah so service is accepting it from the controller but service will say that's not my job if you want to store something in database send it to database and to do that we are going to use the reposit layer right and that's we already have it here usero so I can
08:58
simply use usero in my service and I will close certain things here which we don't need at this point home control not required uh user principle not required my D service not required student controller we don't require okay
09:14
so let's head back to the service and let's create the reference for the user Appo so user repo repo and on top of this I will say autowire so that I don't have to create the object and and here I
09:30
will simply say repo dot I want to save so we can simply say save and pass the user this will save this data in database okay and also return the user in fact I will return the user which we are storing in database not what we got okay so I'm returning the user here and also I'm going to uh user controller
09:49
okay we need service here so iate autowired private user service user okay we will say service and here I'm going to basically say return service. register user so we got the request on the controller controller sending to
10:05
service service sending to database and we are done again till this point we have not talked about BP we are just storing the user in the database as it is okay so by doing this let's restart the application and see what can go wrong okay server started I will use my
10:21
Postman okay and let's send get student let's see if this is working first and yeah so this is working authorization is this now I want to create create a new user right so I will say post and I will send the request for register but we have to pass the body as well right now
10:36
in the body of course I don't want to pass the product what I want to pass is the ID I want to pass the username now from where you will get this field now this is depend upon what you have used here so this is the type of users and if you go to users these are the three Fields you have to pass ID username and
10:51
password so let's get back ID username and password the value is three here because we already have one and two uh the username I want to go for this time is let's say okay what user we don't have let's verify from database we got Na and sushil let's go for hush and the
11:09
password is H at81 123 okay so let's click on send it should work you can see we got the user back from the uh database and the best way to verify is actually hitting database right so I will just run this and yeah we got new
11:24
user again no bcrypt implemented now let's implement bcrypt what I want to do is I want to create this new user but then the data which you are storing in database should be with a new uh with a bcrypt so what we can do is here before
11:40
you send the user to database in the service layer what you can do is you can change the password so you can say user. set password but how will I know what is the bcrypt version of that password maybe you can just get the password here go to that website uh copy that uh I
11:57
mean what I'm talking about is take the password type it here copy this and paste it there again we don't want to do manual process so in that case we have to use a library the bcrypt library and the good thing is in Spring Security you will get bcrypt by default you just have to use the object so I will just create
12:14
the object here there two ways of creting the object you can use the bean in the security config file or in the configuration or I can just hardcode the value or I can just create the object by myself so I will say bcrypt password encoder and you can see this is a part
12:30
of Spring Security so Spring framework. Security so we are happy at least we are not using some third party which is which will give you some errors so we got uh encoder and we can say new B password encoder now in this bracket basically
12:46
for the Constructor of bcrypt password encoder we can pass this strength what is this strength the rounds 10 Rounds 12 rounds by default it will be 10 if I'm not wrong uh they don't have the documentation let's download the source let's see so strength is by default okay
13:02
they don't have a default strength is it okay by default is minus one is weird uh if you pass something they've not mentioned this strength so log rounds to use between 4 to 31 so we can use between these numbers uh next we can also mention the
13:19
version so uh with the strength you can also mention the number version like we can have 2 a 2 b 2 y we stick to the basic version whatever it passes let's go back to the user and here I will just mention 12 we not going for 10 now we're going for 12 strength is 12 so using
13:34
this encoder I can simply say set password encoder do encode that's the method and pass the password but how will I know the password actually we know in the user object we already getting the password right so get the password encode it set it in the user uh
13:50
set it to the to the user and it will do your work okay so I mean I am hoping this will work let's try so let's restart the application now go back to register of course I will use the same username password for the authorization in the body I will create a new user now so I will say for uh this time it is Oni
14:09
and a at the rate 1 23 let's see if this works send it worked we got 20 okay and we also got a password can you see that we got a B password we can also verify that in the data database so let's head back to database let's hit the query and
14:24
this is your new password but we got another big problem now let's try to do something so let's say I want to fetch all the students I'm just trying to access some resource and in the authorization naen will work so if I say run it works but let's say I'm trying to use a new user which is only a 123 if I
14:44
click on send we got authorization fail why this is the right password it's just that when you are storing the when you are creating a new user you are converting into bcrypt right the hash but when you're validating it we are not doing that because in the validation if
15:00
you go back to your uh security config this file we have written one line here which is this line can you see that we are saying that when you're verifying it still use no op password encoder that means we're using
15:16
a default one not the bcrypt so yeah for storing we're using it but for verifying we're not using it so how do I verify so we have to convert this of course if I want I can go to database and copy this string I'm just hoping this will work you tried it yeah it works in that way
15:33
but do you think user will enter this of course they want to enter the normal passwords you can't expect them to remember the hash values and again it's not safe to transfer this on the internet so what can we do of course while verifying it instead of using no password use bcrypt how difficult that can be maybe creating some classes and
15:50
objects no just one line what you can do is just create the new object of B passw encoder and pass this strength that's it you just make mention that we are saying that hey authentication provider the password encoder you have to use is BP and this is 12 that's it now it knows
16:07
okay whatever password I will receive I will convert that into BP hash and now I will verify it and by doing so let's run this and let's see if this works so go back to the postman let's use the hash and hash will not work now yeah you can
16:22
see we got 401 but now let's use a normal password it's aate 1 123 send it worked what about the normal users nen I mean normal users means the user with the plain text even for them it will not work in that case you have to basically
16:39
uh ask them to update their passwords maybe you know sometime you receive a link from some applications or some service by saying hey it's time to change your password maybe they know they mess up sometimes and they ask you to change the password I mean I doubt anyway so one thing you can do is uh if you want to change the new password if
16:55
you want this to work you can create a b version of this and copy this again not a good idea I'm just showing you what you can do and here you can just update naven so you can say first of all ID of naen is what it's uh one so I will say update users set the password I don't
17:13
know why I'm feeling that I'm doing a crime here where uh the ID is equal to three oh sorry ID is equal to one just hit this query run uh got updated and run so you can see for naven also we got the encrypted password or the hash
17:29
password and now I can verify this and this should work so make sure that all your passwords are encrypted and who is not safe it's sush and hsh okay it's time to send them a link by saying update your passwords so anyway uh we have talked about BPT and now we know
17:46
why encoding your password is important and how do we do that so we can use bigp It's Not the Only Solution we have other solution as well and if you tried something let me know in the comments and others will also try so that's it from this video I I hope you enjoyed how do we use BPT how do we do hashing and I
18:03
hope you are enjoying whatever we are doing now uh there are some other topics which is coming up and maybe we'll do that after a small break let's see how the time goes so yeah officially we have done with the part of Spring Security where you can use a username you can use
18:19
a password and things are working out there's another way which is jwd uh which we'll see later but even for even if you're securing your application this solution works jwd is a different ball game altogether so that's it from this video see you in the next video bye-bye