Storing passwords with Node.js and MongoDB

JavascriptMongodbnode.jsCryptographyAes

Javascript Problem Overview

I'm looking for some examples of how to securely store passwords and other sensitive data using node.js and mongodb.

I want everything to use a unique salt that I will store along side the hash in the mongo document.

For authentication do I have to just salt and encrypt the input and match it to a stored hash?

Should I ever need to decrypt this data and if so how should I do it?

How are the private keys, or even salting methods securely stored on the server?

I've heard the AES and Blowfish are both good options, what should I use?

Any examples of how to design this would be wonderfully helpful!

Thanks!

Javascript Solutions

Solution 1 - Javascript

Use this: https://github.com/ncb000gt/node.bcrypt.js/

bcrypt is one of just a few algorithms focused on this use case. You should never be able to decrypt your passwords, only verify that a user-entered cleartext password matches the stored/encrypted hash.

bcrypt is very straightforward to use. Here is a snippet from my Mongoose User schema (in CoffeeScript). Be sure to use the async functions as bycrypt is slow (on purpose).

class User extends SharedUser
  defaults: _.extend {domainId: null}, SharedUser::defaults

  #Irrelevant bits trimmed...

  password: (cleartext, confirm, callback) ->
    errorInfo = new errors.InvalidData()
    if cleartext != confirm
      errorInfo.message = 'please type the same password twice'
      errorInfo.errors.confirmPassword = 'must match the password'
      return callback errorInfo
    message = min4 cleartext
    if message
      errorInfo.message = message
      errorInfo.errors.password = message
      return callback errorInfo
    self = this
    bcrypt.gen_salt 10, (error, salt)->
      if error
        errorInfo = new errors.InternalError error.message
        return callback errorInfo
      bcrypt.encrypt cleartext, salt, (error, hash)->
        if error
          errorInfo = new errors.InternalError error.message
          return callback errorInfo
        self.attributes.bcryptedPassword = hash
        return callback()

  verifyPassword: (cleartext, callback) ->
    bcrypt.compare cleartext, @attributes.bcryptedPassword, (error, result)->
      if error
        return callback(new errors.InternalError(error.message))
      callback null, result

Also, read this article, which should convince you that bcrypt is a good choice and help you avoid becoming "well and truly effed".

Solution 2 - Javascript

This is the best example I've come across to date, uses node.bcrypt.js http://devsmash.com/blog/password-authentication-with-mongoose-and-bcrypt

Categories
Recommended Javascript Solutions
Recommended Mongodb Solutions
Recommended node.js Solutions
Recommended Cryptography Solutions
Recommended Aes Solutions

Previous Solution:

Stop reloading of web app launched from iPhone Home Screen

IphoneIosMobile SafariIphone Standalone-Web-App

Next Solution:

Why main() in C++ cannot be inlined?

C++InlineMain

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionfancyView Question on Stackoverflow
Solution 1 - JavascriptPeter LyonsView Answer on Stackoverflow
Solution 2 - JavascriptchovyView Answer on Stackoverflow