NodeJS: bcrypt vs native crypto

node.jsCryptographyBcrypt

node.js Problem Overview

Can someone point out the differences between the two and example situations where use each?

bcrypt looks great.

node.js Solutions

Solution 1 - node.js

Use bcrypt where you want to do slow and computationally expensive hashing -- this will generally be for hashes where you really don't want an attacker to be able to reverse the hash, e.g. user passwords. Use native crypto for everything else.

Solution 2 - node.js

In companion with the @mike-scott's answer, you should prefer bcrypt for password related stuff but still you can use crypto for a wide range of tasks like create random tokens or a HMAC checksum or SHA1/MD5 hashes:

var crypto = require('crypto');	

// random tokens
var buf = crypto.randomBytes(16).toString('hex');
console.log('Random token of %d bytes in hexadecimal: %s', buf.length, buf);
var buf = crypto.randomBytes(16).toString('base64');
console.log('Random token of %d bytes in base 64: %s', buf.length, buf);

// a hashed message authentication checksum (HMAC) using a shared secret key
var string = 'My coffee please';
var key = 'Right away sir';

var encrypted = crypto.createHmac('sha1', key).update(string).digest('hex');
console.log('Encrypting "%s" using passphrase "%s": %s', string, key, encrypted);

// a MD5 hash
var hashmd5 = crypto.createHash('md5').update(string).digest('hex');
console.log('The MD5 hash of "%s" is %s', string, hashmd5); 

// a SHA1 hash
var hashsha1 = crypto.createHash('sha1').update(string).digest('hex');
console.log('The SHA1 hash of "%s" is %s', string, hashsha1);

Solution 3 - node.js

I would use nodejs's native crypto library

I think the decision should not be just based on who does what better, it is much more than that

You should know why node.js included an inbuilt module for crypto, while it was not originally part of node.js and many libraries were popular in npm repository, including bcrypt

The reason was, cryptography is an important security aspect, using an external module from npm has the possibility of malicious code injected, which defeats original security objective

Hence need a trusted library for such cryptographic function, which was the motivation for nodejs to provide such a library

If you think the cryptographic method is not strong, better raise issue on nodejs about same instead of blindly trusting an external library

Still don't believe me? read this article https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

Solution 4 - node.js

With new nodejs versions scrypt function from crypto module can be used for hashing passwords.

This is from the nodejs documents: Scrypt is a password-based key derivation function that is designed to be expensive computationally and memory-wise in order to make brute-force attacks unrewarding.

Solution 5 - node.js

According to me bcrypt is better i have made to websites one is an mern ecommerce site and other is mern social network and bcrypt provides better functions than crypto it is according to you

npm install bcrypt
Categories
Recommended node.js Solutions
Recommended Cryptography Solutions
Recommended Bcrypt Solutions

Previous Solution:

How to Quickly Remove Items From a List

C#LinqListCollections

Next Solution:

Pass an argument to a Git alias command

GitGit ConfigGit Alias

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionfancyView Question on Stackoverflow
Solution 1 - node.jsMike ScottView Answer on Stackoverflow
Solution 2 - node.jsIgor ParraView Answer on Stackoverflow
Solution 3 - node.jsBasavView Answer on Stackoverflow
Solution 4 - node.jsEhsan ShekariView Answer on Stackoverflow
Solution 5 - node.jsWebsite coderView Answer on Stackoverflow