Quiz
- Could you expand on what it means for the code to be "already being rendered in a context where it will be executed"?
Sure. This is in the context of XSS attacks
Consider something like this template:
If the comment were a SCRIPT tag, with the angle brackets, that might be problematic.
What EJS does for us is convert < to < and such, so that the comment (the SCRIPT tag) won't be executed.
But if we (foolishly) put the following in our template:
Then converting the angle brackets doesn't help, because we've already told the browser to execute the user's code. Let's hope they aren't malicious!
- I understand that we want bcrypt to be slow to prevent hackers from quickly brute-forcing passwords, but doesn't that mean the website will be slow for non-malicious users as well? Is the slowness of bcrypt just a trade-off we have to make to improve the security of login?
Yes, you are right! So that means that instead of hashing your password in 0.0002 seconds, it might take 2 seconds: 10,000 times longer.
Can you wait 2 seconds to login? Sure; you probably wouldn't even notice.
Of course, we can push this too far. Increase the work factor a bit more and people won't want to wait 20 seconds to login.
But we don't need things to be that slow. Just forcing them to take 1 second to try a password means that to try a million passwords takes 31 years, which is more than secure enough.
- What happens if, against all odds, two hashes derived from different strings are the same?
Then two different strings are valid passwords for an account. In this case, that's fine. There are some cryptographic situations in which this would be bad, but not here.
- How does "reset password" work with bcrypt?
This is just like "joining" in the first place. The user has to supply a new password, which is hashed and replaced the old one.
Of course, there are practical issues, like whether this person should be allowed to reset this password. So we email them a special link (under the assumption that the bad guys haven't hacked their email account) that allows them to reset their password.
- If bcrypt is so much more effective because it is slow and introduces a work factor, is salt now effectively irrelevant?
No, for the reasons mentioned in the reading: (1) salt means re-used passwords are secure on other platforms and (2) the bad guys can't precompute passwords.
But you're right that salt is less important.
Bcrypt still uses salt, so we'll assume they know what they are doing.