Node.js hashing of passwords
node.jsSecurityCryptographyPasswordsPassword Hashnode.js Problem Overview
I am currently using the following for hashing passwords:
var pass_shasum = crypto.createHash('sha256').update(req.body.password).digest('hex');
Could you please suggest improvements to make the project safer?
node.js Solutions
Solution 1 - node.js
I use the follwing code to salt and hash passwords.
var bcrypt = require('bcrypt');
exports.cryptPassword = function(password, callback) {
bcrypt.genSalt(10, function(err, salt) {
if (err)
return callback(err);
bcrypt.hash(password, salt, function(err, hash) {
return callback(err, hash);
});
});
};
exports.comparePassword = function(plainPass, hashword, callback) {
bcrypt.compare(plainPass, hashword, function(err, isPasswordMatch) {
return err == null ?
callback(null, isPasswordMatch) :
callback(err);
});
};
Solution 2 - node.js
bcrypt also can be called synchronously. Sample Coffeescript:
bcrypt = require('bcrypt')
encryptionUtil =
encryptPassword: (password, salt) ->
salt ?= bcrypt.genSaltSync()
encryptedPassword = bcrypt.hashSync(password, salt)
{salt, encryptedPassword}
comparePassword: (password, salt, encryptedPasswordToCompareTo) ->
{encryptedPassword} = @encryptPassword(password, salt)
encryptedPassword == encryptedPasswordToCompareTo
module.exports = encryptionUtil
Solution 3 - node.js
Also there is bcrypt-nodejs module for node. https://github.com/shaneGirish/bcrypt-nodejs.
Previously I used already mentioned here bcrypt module, but fall into problems on win7 x64. On the other hand bcrypt-nodejs is pure JS implementation of bcrypt and does not have any dependencies at all.
Solution 4 - node.js
> bcrypt with typescript > > npm i bcrypt > npm i -D @types/bcrypt
import * as bcrypt from 'bcrypt';
export const Encrypt = {
cryptPassword: (password: string) =>
bcrypt.genSalt(10)
.then((salt => bcrypt.hash(password, salt)))
.then(hash => hash),
comparePassword: (password: string, hashPassword: string) =>
bcrypt.compare(password, hashPassword)
.then(resp => resp)
}
Exemple: Encrypt
const myEncryptPassword = await Encrypt.cryptPassword(password);
Exemple: Compare
const myBoolean = await Encrypt.comparePassword(password, passwordHash);
Solution 5 - node.js
You can use the bcrypt-js package for encrypting the password.
- Try npm i bcryptjs
- var bcrypt = require('bcryptjs') in top.
- To hash a password:
bcrypt.genSalt(10, function(err, salt) {
bcrypt.hash("B4c0/\/", salt, function(err, hash) {
// Store hash in your password DB.
});
});
4. To check your password,
// Load hash from your password DB.
bcrypt.compare("B4c0/\/", hash, function(err, res) {
// res === true
});
You can visit https://www.npmjs.com/package/bcryptjs for more information on bcryptjs.
Solution 6 - node.js
Try using Bcrypt, it secures the password using hashing.
bcrypt.hash(req.body.password, salt, (err, encrypted) => {
user.password = encrypted
next()
})
Where salt is the cost value which specifies the strength of hashing. While logging in, compare the password using bcrypt.compare method:
bcrypt.compare(password, user.password, (err, same) => {
if (same) {
req.session.userId = user._id
res.redirect('/bloglist')
} else {
res.end('pass wrong')
}
})
For more info, refer to this blog: https://medium.com/@nitinmanocha16/bcrypt-and-nodejs-e00a0d1df91f
Solution 7 - node.js
Bcrypt isn't a bad choice, but there are a few gotchas:
- It will truncate on
NUL
bytes. - It will truncate after 72 characters. If you're using passphrases, this might weaken your password unexpectedly.
As of October 2019, Argon2id is the optimal choice.
The preferred way of interfacing with Argon2id is through libsodium (a cryptography library that provides a lot of features). There are several bindings to choose from, but the easiest is probably sodium-plus.
const SodiumPlus = require('sodium-plus').SodiumPlus;
let sodium;
(async function(){
if (!sodium) sodium = await SodiumPlus.auto(); // Autoload the backend
let password = 'Your example password goes here. Provided by the user.';
// Hashing...
let hash = await sodium.crypto_pwhash_str(
password,
sodium.CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
sodium.CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
);
// You can safely store {hash} in a database.
// Checking that a stored hash is still up to snuff...
let stale = await sodium.crypto_pwhash_str_needs_rehash(
hash,
sodium.CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
sodium.CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
);
if (stale) {
// Rehash password, update database
}
// Password verification
let valid = await sodium.crypto_pwhash_str_verify(password, hash);
if (valid) {
// Proceed...
}
})();
The documentation for sodium-plus on Github includes password hashing and storage.