AllBengal
By Sahidur Pub Feb 20

Part 2: How People Log In Safely — Login, Passwords, and Google Sign-In

A beginner-friendly explanation of how logins work, why passwords need to be protected, and how Google sign-in keeps you secure.

Dev Diaries
Part 2: How People Log In Safely — Login, Passwords, and Google Sign-In

The Problem: Proving Who You Are

Imagine you run a members-only club. When someone arrives, you need to check: "Are you actually a member? Or are you trying to sneak in?"

On a website, you need the same thing. When someone says "I'm John," the system needs to be absolutely sure they really are John, not someone pretending to be John.

The Traditional Way: Email + Password

The classic method:

  1. Sign up: John creates an account with email john@example.com and password SuperSecret123!
  2. I never see the password: Instead of storing SuperSecret123!, I store a scrambled version (called a "hash")
  3. Login: John types his email and password
  4. I check: I scramble what he typed and compare it to my stored scrambled version
  5. If they match: "Welcome John! You're logged in."

Why Scramble the Password?

If a hacker broke into my database, they'd see scrambled passwords — not real ones. For example:

Real password: SuperSecret123!
Scrambled: $2b$12$K8X5q3.0n7jH9kL2mP4oR... (looks like garbage)

Even if hackers have the scrambled version, they can't figure out the real password. This scrambling is called bcrypt — think of it as a one-way machine that can't be reversed.

The Modern Way: Sign In With Google

But typing a password is annoying. That's why I added Google Sign-In. Here's how it works:

The Flow:

  1. You click "Sign in with Google"
    • The website opens a popup to Google
  2. Google asks: "Is this really you?"
    • Google checks if you're already logged into your Google account
    • Or it asks you to enter your Google password
  3. Google says "Yes, this is really them"
    • Google sends back a special proof (called a "token")
    • It's like Google giving me a letter saying: "This person is definitely john@gmail.com, I'm 100% sure"
  4. AllBengal trusts Google
    • I check Google's letter to make sure it's authentic
    • If it's real, I create an account for john@gmail.com if they don't have one
    • I log you in
  5. You're in the club
    • No password needed, no guessing, super simple

Why This Is Smart

  • One less password to remember: You already have a Google password, no need for another one
  • Google does the hard work: They're experts at security; they protect your Google account
  • Harder to hack: Google uses super-advanced security even ordinary people can't bypass
  • You control it: If you lose your phone, you can log in through Google and kick off old sessions

How Sessions Work (The Invisible Bookmark)

Once you're logged in, the system needs to remember: "This person is John." It uses something called a session token or JWT (don't worry about the name).

Think of it like this:

  1. You log in: System gives you a special secret bookmark
  2. You make requests: You show the bookmark with each request saying "Hi, I'm John, and here's my special bookmark to prove it"
  3. System trusts you: As long as the bookmark is valid and hasn't expired, you stay logged in
  4. Bookmark expires: After 24 hours, your bookmark expires and you need to log in again

Why Bookmarks Expire

If someone steals your bookmark, they can't use it forever. After one day, it's useless. So even if hackers get your token, they have limited time to misuse it.

Two Types of Bookmarks

AllBengal uses two special tokens:

Access Token (The Quick Pass)

  • Lasts: 24 hours
  • Used for: Checking if you can write posts, like images, etc.
  • Short-lived: Makes it harder to misuse if stolen

Refresh Token (The Long-Term Membership)

  • Lasts: 30 days
  • Used for: Getting a new Access Token when yours expires
  • Like: When your quick pass expires, you use your membership card to get a new quick pass
  • Traceable: I track every refresh token, so if something suspicious happens, I can cancel it

The Refresh Token Dance

Here's what happens when your Access Token expires:

You: "Hey, I want to do something" System: "Your Access Token expired (it's 24 hours old). Sorry!" You: "I have a Refresh Token. Can I get a new Access Token?" System: "Let me check if your Refresh Token is still valid..." System: "Yes! Here's a brand new Access Token. You can use this for the next 24 hours." You: "Thanks! Now I can do the thing."

Why Two Tokens?

Imagine you lost your Access Token. If you only had one token that lasted 30 days, hackers could use it for 30 days. But with two tokens:

  • The short-term one (24 hours) limits the damage
  • The long-term one (30 days) only comes out when you need a new short one
  • If you log out, I delete the long-term one, so the short one becomes useless

What If You Log Out?

When you click "Log out":

  1. Your Access Token becomes invalid
  2. Your Refresh Token gets deleted from my database
  3. Even if someone has your tokens, they can't use them anymore
  4. You're fully logged out

What If Someone Steals Your Token?

I have safeguards:

Rate Limiting (The Bouncer)

  • If someone tries to log in 10 times in one minute, I block them
  • They have to wait before trying again
  • This stops hackers from guessing passwords

IP Checking

  • If you log in from New York, then immediately from Germany (impossible in real time), that's suspicious
  • I can warn you or require extra verification

Token Expiration

  • Even if hackers steal your token, it only works for 24 hours
  • After that, they'd need to steal a new one

How Passwords Are Really Protected

Here's the technical bit (super simplified):

Real Password: "SuperSecret123!"
↓
Scramble machine (bcrypt): Takes the password and jumbles it 1000+ times
↓
Scrambled: "$2b$12$K8X5q3.0n7jH9kL2mP4oR..." (looks random)
↓
Stored in database: Only the scrambled version

When you log in:
Your Password: "SuperSecret123!"
↓
Scramble with same machine
↓
"$2b$12$K8X5q3.0n7jH9kL2mP4oR..." (same scrambled version)
↓
Does it match the database? YES → You're logged in!

The scramble machine:

  • Can't be reversed (you can't un-scramble it to get the real password)
  • Always produces the same scrambled version for the same password
  • Is so complicated that it would take millions of years to guess

Real Security, Real Speed

AllBengal uses battle-tested libraries:

  • bcrypt: The gold standard for scrambling passwords (used by banks, governments, etc.)
  • JWT: Industry standard for tokens (used by Google, Facebook, etc.)
  • Google OAuth: The same thing Google uses for YouTube, Gmail, etc.

These aren't experimental ideas — they're proven secure.

The Bottom Line

Your login is protected by:

  1. Scrambled passwords — I can't see your real password
  2. Short-lived tokens — Even if stolen, they expire
  3. Google's security — If you use Google sign-in, you get Google-level protection
  4. Rate limiting — Hackers can't try thousands of times per second
  5. Token tracking — I can revoke any token instantly

Questions? How does your favorite app log you in? Drop a comment below!

Tags

#authentication#security#how-it-works#login#passwords

Analytics

Unique visitors

0

Visits

0

Reactions

0

💬 Comments (0)

No comments yet.

💌 Share Your Opinion With Us

Email Facebook Telegram

📖 Read More Articles

Explore more articles and discover interesting stories from our blog.

View All Articles →