Question

31

Storing passwords with Node.js and MongoDB

rated 0 times [ 34] [ 3] / answers: 1 / hits: 41697 / 13 Years ago, fri, august 5, 2011, 12:00:00

I'm looking for some examples of how to securely store passwords and other sensitive data using node.js and mongodb.

I want everything to use a unique salt that I will store along side the hash in the mongo document.

For authentication do I have to just salt and encrypt the input and match it to a stored hash?

Should I ever need to decrypt this data and if so how should I do it?

How are the private keys, or even salting methods securely stored on the server?

I've heard the AES and Blowfish are both good options, what should I use?

Any examples of how to design this would be wonderfully helpful!

Thanks!

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

raveno

Add To Favorites

Follow

Total Points: 453

Total Questions: 92

Total Answers: 92

Location: France

Member since Thu, Oct 27, 2022

2 Years ago

raveno questions

1 Webpacker error related to module babel-plugin-syntax-dynamic-import

Wed, Jun 24, 20, 00:00, 4 Years ago

1 Problem with using map to populate select in React / Material UI

Sat, Feb 29, 20, 00:00, 4 Years ago

1 How to use a Global Variable in Jest

Fri, Dec 20, 19, 00:00, 5 Years ago

1 No node found for selector in headless true mode of puppeteer

Thu, Sep 26, 19, 00:00, 5 Years ago

1 How to fix Uncaught TypeError: Cannot read property 'Timestamp' of undefined?

Sat, Jun 22, 19, 00:00, 5 Years ago

View All

answered 13 Years ago dominickmackenziet · Accepted Answer

Use this: https://github.com/ncb000gt/node.bcrypt.js/

bcrypt is one of just a few algorithms focused on this use case. You should never be able to decrypt your passwords, only verify that a user-entered cleartext password matches the stored/encrypted hash.

bcrypt is very straightforward to use. Here is a snippet from my Mongoose User schema (in CoffeeScript). Be sure to use the async functions as bycrypt is slow (on purpose).

class User extends SharedUser

  defaults: _.extend {domainId: null}, SharedUser::defaults



  #Irrelevant bits trimmed...



  password: (cleartext, confirm, callback) ->

    errorInfo = new errors.InvalidData()

    if cleartext != confirm

      errorInfo.message = 'please type the same password twice'

      errorInfo.errors.confirmPassword = 'must match the password'

      return callback errorInfo

    message = min4 cleartext

    if message

      errorInfo.message = message

      errorInfo.errors.password = message

      return callback errorInfo

    self = this

    bcrypt.gen_salt 10, (error, salt)->

      if error

        errorInfo = new errors.InternalError error.message

        return callback errorInfo

      bcrypt.encrypt cleartext, salt, (error, hash)->

        if error

          errorInfo = new errors.InternalError error.message

          return callback errorInfo

        self.attributes.bcryptedPassword = hash

        return callback()



  verifyPassword: (cleartext, callback) ->

    bcrypt.compare cleartext, @attributes.bcryptedPassword, (error, result)->

      if error

        return callback(new errors.InternalError(error.message))

      callback null, result

Also, read this article, which should convince you that bcrypt is a good choice and help you avoid becoming well and truly effed.