Describe the bug

Presently, the password to log in to the Monkey Island is hashed in the client-side and the hashed password is transmitted to the server via a POST over HTTPS. If the password hash were stolen, it can be used to authenticate to the Monkey Island. In effect, when you hash the password on the client-side, the hash is the password, and the password is just a convenient way to not need to remember the long hash value.

Passwords should be sent via HTTPS (as they currently are) and hashes should be computed and compared on the server-side.

While we're at it, we might consider salting the hash.

To Reproduce

Steps to reproduce the behavior:

1. navigate to the monkey island login page from a browser
2. use the browser's developer tools to inspect network traffic
3. enter a username and password and click "login"
4. observe the post request to the auth endpoint in the developer tools

Tasks:

• Look at Password hash #978 and modify the authentication mechanism to use bcrypt on server side (0.25d). - @shreyamalviya
• Cleanup the test_user_creds.py and improve coverage (0.25d) - @VakarisZ .
  • Migrate to pytest.
  • Add tests to get_from_json and get_from_dict if they used.
  • Make to refactor unit tests to test one thing only.