Why are people using third party packages like bcrypt to hash user credentials instead of Node's own built-in classes and methods?
https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback
Reduce packages (and dependencies) by using Node's asynchronous scrypt method.
Well how does it work?
import { scrypt, randomBytes } from 'crypto';
const salt = randomBytes(32).toString('hex');
scrypt(password, salt, 32, async (err, derivedKey) => {
const userToCreate = {
password: derivedKey.toString('hex'),
username: username,
salt: salt,
};
});
The userToCreate will then contain the hashed password, as well as a random salt. In this example the hash and salt will still be different if two passwords are equal. That's exactly what we want!
Top comments (2)
Mostly due to this: security.stackexchange.com/questio...
Please leave a comment on any thoughts you may have regarding using
bcryptas a separate package instead of a built-in functionality.