peterlits zo
Posted on February 22, 2022
JWT's content
The JWT is a way to use token. It has three part to hold those information:
- Header. The meta information of the JWT token.
- Payload. The data about authentication. For example, the user name and the role of he/she.
- Secret. The hashed value of the header, payload, and the salt only server know.
Here is the link to wikipedia.
So we can say that:
Secret = hashed(Header, Payload)
The server, which deal with the JWT token, will run the hashed
function again and check if the secret part is same.
Salt
As we know, that store user's password in clear text is a stupid behavior. If attacker get the database, he will use the data to attack other website (because many user use the same password and username in different website).
So a better way to hold those user's password is using hash function. But attacker will build a rainbow table (link to wikipedia) to attack. So we use the salt, to build it, it works well if the attacker has no idea what the salt is:
const hashed_password = hash(password, salt);
But we cannot avoid that attacker build the rainbow table if he know the hash function and the salt. So the best way is using bcrypt, bcrypt use random salt and hash the password again and again to add the time to get the hashed value. If attacker want to get the original password, even through he/she get the table and those salt, he/she need more time to build the rainbow tables and need build A LOT OF rainbow tables! It is so hard to make it, so attacker will never get the original password.
Posted on February 22, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 27, 2024
November 15, 2024
November 15, 2024