ReactJs,Mongodb
how can I overcome MITM, Man In The Middle Attack while sending password
If I am not allowed to store SHA256 hashed passwords,How should I implement without using any npm authentication packages
ReactJs,Mongodb
how can I overcome MITM, Man In The Middle Attack while sending password
If I am not allowed to store SHA256 hashed passwords,How should I implement without using any npm authentication packages
For further actions, you may consider blocking this person and/or reporting abuse
Matti Bar-Zeev -
Antonio | CEO at Litlyx.com -
Karan Kumar Gautam -
Ritesh Hiremath -
Top comments (11)
use TLS and HSTS so that your connection will be encrypted. It doesn't make it impossible but it makes it a lot harder. You can also use non-SMS based 2FA to increase security.
why aren't you allowed to store hashed passwords or use authentication libraries? You should never store passwords in clear. BTW don't use SHA256 if you can avoid it, there are better algorithms like Argon2 or the older PBKDF2
Have an assignment to build account-password system without npm auth package.Whats the best approach
Probably not directly helpful for what looks like a learning exercise in "things you shouldn't do unless you have to", but in the real world I would always look to delegate this part of an application to something sane like auth0.com, or AzureAD, or Facebook, Google, Twitter... much like your favourite dev website :)
More useful - all the stuff @rhymes said!
I'm not a node user so I'm going to be generic. Let's start with a "shopping list" of what you might need:
The registration flow is:
The login flow is:
This is the bare, bare, minimum.
Keep in mind that since there are no sessions in this scenario, the user will have to input their accounts everytime they decide to access the "protected" page.
thank you very much for getting me started.
like passport.js or other helper libraries,
thanks
OK then please go on with bcrypt (npmjs.com/package/bcrypt). It's a standard for hashing passwords. (It's almost the same algorithm that's in PHP pssword_hash)
It's not rocket science, really. You don't need to understand how it works, though I guess you will need to speak up about how it works but you can find various sources about that. (codahale.com/how-to-safely-store-a...)
thanks CAP!!!
Related. Things you wanted to know about storing passwords but were afraid to ask
thank you for the reference.