Check out https://npmjs.org/package/bcryptjs, it’s fully compatible with bcrypt just without the dependencies. Or https://npmjs.org/package/simplecrypt if you don’t want the crypto boilerplate and just need to encrypt and decrypt strings.
I use the follwing code to salt and hash passwords. var bcrypt = require(‘bcrypt’); exports.cryptPassword = function(password, callback) { bcrypt.genSalt(10, function(err, salt) { if (err) return callback(err); bcrypt.hash(password, salt, function(err, hash) { return callback(err, hash); }); }); }; exports.comparePassword = function(plainPass, hashword, callback) { bcrypt.compare(plainPass, hashword, function(err, isPasswordMatch) { return err == null ? callback(null, … Read more
Warning: Since this post was written in 2010, GPUs have been widely deployed to brute-force password hashes. Moderately-priced GPUs can run ten billion MD5s per second. This means that even a completely-random 8-character alphanumeric password (62 possible characters) can be brute forced in 6 hours. SHA-1 is only slightly slower, it’d take one day. Your … Read more
This won’t be secure, and it’s simple to explain why: If you hash the password on the client side and use that token instead of the password, then an attacker will be unlikely to find out what the password is. But, the attacker doesn’t need to find out what the password is, because your server … Read more
Using password_hash is the recommended way to store passwords. Don’t separate them to DB and files. Let’s say we have the following input: $password = $_POST[‘password’]; You first hash the password by doing this: $hashed_password = password_hash($password, PASSWORD_DEFAULT); Then see the output: var_dump($hashed_password); As you can see it’s hashed. (I assume you did those steps). … Read more
The easiest way to get your password storage scheme secure is by using a standard library. Because security tends to be a lot more complicated and with more invisible screw up possibilities than most programmers could tackle alone, using a standard library is almost always easiest and most secure (if not the only) available option. … Read more
Ok. Seeing as I need to write about this over and over, I’ll do one last canonical answer on pepper alone. The Apparent Upside Of Peppers It seems quite obvious that peppers should make hash functions more secure. I mean, if the attacker only gets your database, then your users passwords should be secure, right? … Read more
Hashing a password once is insecure No, multiple hashes are not less secure; they are an essential part of secure password use. Iterating the hash increases the time it takes for an attacker to try each password in their list of candidates. You can easily increase the time it takes to attack a password from … Read more