DEV Community

Cover image for Foal v2.11 has been released with better password management
Loïc Poullain
Loïc Poullain

Posted on • Originally published at foalts.org

Foal v2.11 has been released with better password management

Banner

Version 2.11 of Foal is out! Here are the improvements that it brings:

Number of Iterations on Password Hashing Has Been Increased

The PBKDF2 algorithm (used for password hashing) uses a number of iterations to hash passwords. This work factor is deliberate and slows down potential attackers, making attacks against hashed passwords more difficult.

As computing power increases, the number of iterations must also increase. This is why, starting with version 2.11, the number of iterations has been increased to 310,000.

To check that an existing password hash is using the latest recommended number of iterations, you can use the passwordHashNeedsToBeRefreshed function.

The example below shows how to perform this check during a login and how to upgrade the password hash if the number of iterations turns out to be too low.

const { email, password } = ctx.request.body;

const user = await User.findOne({ email });

if (!user) {
  return new HttpResponseUnauthorized();
}

if (!await verifyPassword(password, user.password)) {
  return new HttpResponseUnauthorized();
}

// highlight-start
// This line must be after the password verification.
if (passwordHashNeedsToBeRefreshed(user.password)) {
  user.password = await hashPassword(password);
  await user.save();
}
// highlight-end

// Log the user in.
Enter fullscreen mode Exit fullscreen mode

Top comments (0)