-Authentication vs. Authorization
-How to not store passwords
-Cryptographic Hashing Functions
-Password Salts
-Intro to Bcrypt
Authentication vs. Authorization
Authentication
Is the process of verifying who a user is.
Username and password is a typical authentication combo, as well as security questions and facial recognition.
Authorization
Is verifying what a specific user has access to.
Now that we know who you are, this is what you are allowed to do or not allowed to do.
How to not store passwords
Rule 1 is to never store passwords in text within the database.
This is what a stored password in text looks like.
{
username: 'kittykat',
password: 'notpassword123!'
},
Hashing is when a password is run through a hashing function and then stored the result in the database.
Cryptographic Hashing Functions
Cryptographic hash functions are one-way functions that is infeasible to invert. Small changes in input yields large change in the output. Deterministic - same input yields same output. Unlikely to find 2 outputs with the same value. Password has functions are deliberately slow.
Password Salts
A salt is a random value that is added to the password before it is hashed.
Intro to Bcrypt
kelektiv / node.bcrypt.js
bcrypt for NodeJs
node.bcrypt.js
A library to help you hash passwords.
You can read about bcrypt in Wikipedia as well as in the following article How To Safely Store A Password
If You Are Submitting Bugs or Issues
Please verify that the NodeJS version you are using is a stable version; Unstable versions are currently not supported and issues created while using an unstable version will be closed.
If you are on a stable version of NodeJS, please provide a sufficient code snippet or log files for installation issues. The code snippet does not require you to include confidential information. However, it must provide enough information so the problem can be replicable, or it may be closed without an explanation.
Version Compatibility
Please upgrade to atleast v5.0.0 to avoid security issues mentioned below.
Node Version | Bcrypt Version |
---|---|
0.4 | <= 0.4 |
0.6, 0.8, 0.10 | >= 0.5 |
0.11 | >= 0.8 |
4 | <= 2.1.0 |
8 | >= |
to install bcrypt at the terminal
npm i bcrypt
to hash a password
bcrypt.genSalt(saltRounds, function(err, salt) {
bcrypt.hash(myPlainTextPassword, salt, function(err, hash) {
});
});
This generates a salt and hash on separate function calls.
Within an app
const bcrypt = require('bcrypt');
const hashPassword = async (pw) => {
const salt = await bcrypt.genSalt(12);
const hash = await bcrypt.hash(pw, salt);
console.log(salt);
console.log(hash);
}
const login = async (pw, hashedPassword) {
const result = await bcrypt.compare(pw, hashedPassword)
if(result) {
console.log("Logged In, Success!");
} else {
console.log("Incorrect");
}
}
hashPassword('monkey');
Top comments (0)