Man this guy is brilliant. He keeps uploading videos about stuff which has always left me perplexed. Plus these animations and short crisp videos are the perfect icing on the cake ❤️

In addition to a per-password salt you can also add a random, application-specific "pepper". It's hashed along with the password and the salt, but unlike the salt the pepper is not stored in the DB. A dump is useless without the pepper and an attacker would often need multiple vectors to obtain both.

Short, concise, very straight forward You guys are so amazing.

Binged watched all the videos.. though I knew about these concepts watching the simple yet accurate explanation was a pleasure. The graphics were simple and effective , my only complaint is I wish the video was longer with more content.

Very nice explanation. On top of password individual hash (stored in the DB), we also use an additional system wide salt, usually stored as a kubernetes secret property. This add another level of security. Also, we also use similar salt technic for the web token signature. Web Tokens embed their expiration, which is updated at each web request (typically as a http only cookie), and the third element is the signature using: ash(user_uuid + user_tsalt + global_tsalt). Also, we do NOT store credentials/access in the token, which is a longer conversation. So, a user row has a psalt column, for the password hash, and a tsalt for the token salt. Anyway, great vide, this is great to find this level of content on KZbin.

This is so wonderful!, i never understood why people always salted their passwords and thought it was never important, now i do thanks to you!

I love this man's voice. It's like a soft lullaby but he is feeding me information

You have amazing set of tutorials. Two things I would like to mention - What if someone steal the HDD containing this user database. They will have access to salt and bcrypt hash, they can start doing bruteforce attack. To address this issue - Should we also have bitlocker enabled on machine managing these passwords/sensitive information or Shouldn't we encrypt the hash by some common DB key for all the users or unique key of each user. Those keys then can be managed by some other service.

Short and sweet yet to the point explanation, eagerly waiting for your new videos.

Very clear. A pointer or two to common attacks to which unsalted hashed passwords are vulnerable would be useful, just to shock a naive viewer a bit. BTW, I appreciate the fact that you never call an attack "impossible", not even "infeasible", but merely "unattractive".

Simple quality. This channel is one of my role models.

Please release a course on system design! Your content is amazing!

Without his linkedin post i wont be able to figure this brilliant and easy-catch presentation

Another advantage of using salt is that.. internal person who has access to db cannot identify if there are same hashes stored in database, that means two user have same password.

It would have been nice if you had mentioned and explained "pepper" in addition to the "salt", which is the most modern and secure way of securing passwords :) Also, MD5 is not only "too fast", it's officially broken in way where mathematical collisions exist to narrow extract the original password pretty quick.

Excellent, well written scripts in easy to understand language. Keep doing these videos

Explained in simple style. Informative.

Glad to see one of the Authors of the book making these excellent videos for us to understand. Thanks for your effort...

Very good and interactive session. And it felt great to see you saying thank you while doing namaste.

With hashed password with salt in the DB, in DB leak case - attackers has hashed password and salt on one dish. Then, the thing is to try different algorithms to decode it... I think it's like a house with locked door, but without one wall 🙂.

Elegantly explained. You are top class brother! The design of inputs as well as the representation of logic is concise and clear.

I am really thankful to the KZbin algorithm for recommending this brilliant channel. Man, your content is to the point👌. Keep it up❤.

Great video I appreciate how concise this was. Why isn't the salt hashed too for extra security?

I am super happy because this is exactly how i store my customer passwords in my app database. Guess I am a good CS student afterall

Very Clear and Crisp explanation. These videos are very helpful. Appreciate your work for the community.

Great content! Super clean and straight forward. Well done!

Learned again something new , Thank you Alex!! More power to you !! Keep helping as you are !!

Sir you are so brilliant and a very good teacher. Please, make more videos.

Very well explained in a short video ❤

Great content, thank you! What software do you use to create animations? They are so clean and smooth, greatly adds to clarity of your explanations!

wish identity server 4 tutorials can be this easy to understand

These videos really are amazing

I didn't know that you are the author of the system design book; I had bought it months ago. Great book!

amazing explanation and illustration. thank you

Easy peasy explaination. Brilliant Man! 🙌 We need more system design videos 🙏

The easiest way to do this is Bcrypt. It stores all the information (password hash and salting information) in a single string in the DB. Lots of implementations across lots of programming languages.

simple and clean explanation.

I just discover your channel, it is pure gold man keep it going 🥰

What are you using to make the animated diagrams?

Thanks a lot for this video! Simple, clear & excellent demonstration

i love how you explain ! it can not be more clean and simple :D

Great series… N00b question: When the database gets compromised won’t salt be exposed as well? If so then p/w can be recovered ?

Great video mate. thanks for the web101 review.

I love your short and highly informative videos. Here’s a suggestion for a video. How are passwords stored in a password manager or an application that accesses other password protected applications like a database?

Some of the best videos I've watched on the topic!

I have to say some points of the author are somehow misleading: 1. a global field pepper is enough for rainbow table attack(or any other brutal force attack) 2. unique salts for every user is for preventing extreme cases when two users set the same password, since you need to make every user's hash unique. This can ensure the hacker can at most decode only one user's real password even if he break the first layer security(the global field salt). Normally, you cannot just use "unique salts for every user" to prevent attack, because if the database is hacked, the hacker can generate the rainbow table to attack one user by using "his unique salt from database" + "a list of commonly used password from online". So the best way is using pepper + salt, an not-bad way is using pepper alone, while using salt alone is unsafe!

Pretty Good explanation 👏

Thanks for sharing the knowledge! I learned something new today!

very nice content. I love it. Just praying for more videos to publish soon.

❤️ just what I was looking for

This design implies that the password will go as plain text through the network, before being hashed at the server. The technique I'm used to is: hash at the front-end (for both sign up and login), then re-hash it at the backend, including the salt and pepper. Very few milliseconds are added, and the password is never transfer as plain text.

Such a great video! Amazing Delivery and top notch visuals!!

Precise and accurate! Thank you very much!

If the salt is stored in the database, what is the value in adding it to the password? The hacker can get the salt from the database (if it is compromised), and using pre-computation attacks they can hack the password and the salt?

Great explanation. One thing I would like to add is that modern programming languages have hashing libraries available (e.g. for Argon2 and Bcrypt) and the salt is generated by the library and outputted as part of the hash, so you don't need to worry about trying to manually generate or store the salt.

Please do complete course on these topics.

We can also store the hash algorithm used in the database, which makes adapting to new algorithm easier.

Learned and subscribed.

Question: if user's password is weak and can be found in a common passwords DB? does salting still help? if yes, how?

Wow great simple.Can you please tell what for we use pepper?

Just found this channel, it's dope. That's my dawg.

Animation, quality & content improved video by video.

Really great videos on this channel, I enjoyed them very much even though I didn't look them up with the intent of learning something new

bcrypt automatically adds salt to the password. We don't have to store the salt separately in database, it will be taken care by bcrypt in general

Great content, you got me with the Kafka one. Pls do more system design vids

Brilliant. Please keep uploading videos.

One of the best tutorials. I love your videos awaiting for more.

Clear explanation. Please keep making these amazing videos.

Can you elaborate on the precomputation attack? Thanks a lot!

Great content and animation, concise and easy to grapes. I couldn't complain anything. If ask for any improvement can be made is keep produce more content and make voice sound more energetic .

Nice and simple .. Thank you!

Thanks for such crisp video. One question though. How will one store a password for a database in the same DB. ?

Thanks a lot! Very helpful information

Just to clarify myself.. that "Salt" is a randomly generated string that also stores in the db after hashing corresponding to the user. Correct me if I am wrong.

More videos please!!!!!

Amazing video Thanks

Thank you very much

How does the encyption algorithm match the hash stored in database and the one entered by the user, as algorithms like bcrypt, argon2 etc generate different hash values for the same input each time???

nice explanation. it does leave me with one question: how abaut password recovery?

Very nice explanation, quick question: why do we use salt when storing a password in the DB?

During login, the scenario you described, where the communication between the client and server can potentially be intercepted by a third party, sending the password in plain text is not secure.

In the context of bcrypt hashing in Node.js, the hashed password stored in MongoDB might look like this: "$2b$10$rPaTHg7Gi6HYHjjctWWtXern7vSd1D6PtvNxBzYH4kxvM5k9eG5qi" Here's a breakdown of the different parts of the hash: - "$2b$": The "2b" indicates the algorithm used for hashing, which is bcrypt. - "10": This represents the "workload" or the number of rounds the password was hashed. A higher number of rounds increases the computational effort required to hash the password. - 22 characters: This portion represents the salt, which is a randomly generated value unique to each password. The salt is securely stored within the password hash itself. - 31 characters: This portion represents the actual hashed password, which is the result of applying the bcrypt algorithm to the combination of the original data (password) and the salt, repeated for the specified number of rounds. It's worth noting that in some tutorials or explanations, the term "salt" may be mentioned separately, leading to confusion when looking at the stored password hash in the database. However, in bcrypt, the salt is included within the hashed password string itself. Understanding this format can help clarify the structure of the bcrypt hash and how the salt is incorporated into the overall hashed password. If you have any further questions or need more clarification, feel free to ask!

"password1" is a very commons pass, that's why I use "password2"

so the validation process when first fetch the salt then hash the combination of pwd+salt, does this happen at the client side or server side?

awesome video!!! if you it ok, could you make a video big O notation?? tyvm anyway!!

When logging into a website is the hash computed on the client or the server? In other words is the password sent over the Network to the server and the server computes the hash, or does the client computer accept the password, compute the hash, and then transmit the hash to the client?

cool, thank you!

Amazing sir

Wow ! Thats really good explanation to such a complex thing ! Keep it up

Very useful

That is concise and brief explanation indeed so thanks. But then, how do you overcome a "pass-the-hash" attack where an attacker already has access to a DB (does not matter how) and then he/she can use hashed passwords from other accounts for a possible privilege escalation?

when we add salt to the database entry, are we not exposing that to the attacker as well if they get db access ?

Amazing explanation. Everything makes much more sense now. What tool are you using to create such great animations?

Thanks for the video! I can't quite understand slide in 2:15. Can someone help me understand? Thanks

Quality Content. Thanks my friend.

Great content thanks. The part that surprised me is storing the salt in the database. I thought that was going to be kept secret. If the salt is stored in plain text in the database, then if someone has the data, how does the salt stop the hacker? Don't they have access to a secret key in this point?

thank you. waiting for more videos

Hello, thanks a lot for this useful video. I have a question: In the first part of the video I understand that hashing is a slow and costly process, and in the second part of the video I see that when a user log in there is a hashing step. How is it fast when the user log in and the system perform hashing of the password inserted + the salt? Thank you :)

What’s the appropriate hash function to use in real industrial

This is top stuff, thanks for sharing