I'm actually using bcrypt
module to hash and compare hashed passwords.
What i would like to do is to remove the bcrypt
module and use the default crypto
library both for hashing and comparing passwords.
Is this possible?
Will this be less safe than using node-bcrypt
?
Do you have any example/tutorial/doc/link on how to do?
or example i'm doing like this actually:
bcrypt.hash(string,secret_key)
bcryptpare(string,string,secret_key);
i just would like to replicate this with crypto if possible:
crypto.hash(string,secret_key)
cryptopare(string,string,secret_key);
I'm actually using bcrypt
module to hash and compare hashed passwords.
What i would like to do is to remove the bcrypt
module and use the default crypto
library both for hashing and comparing passwords.
Is this possible?
Will this be less safe than using node-bcrypt
?
Do you have any example/tutorial/doc/link on how to do?
or example i'm doing like this actually:
bcrypt.hash(string,secret_key)
bcrypt.compare(string,string,secret_key);
i just would like to replicate this with crypto if possible:
crypto.hash(string,secret_key)
crypto.compare(string,string,secret_key);
Share
Improve this question
edited Apr 2, 2014 at 18:37
Filippo oretti
asked Apr 2, 2014 at 18:22
Filippo orettiFilippo oretti
49.8k96 gold badges229 silver badges351 bronze badges
4 Answers
Reset to default 9You can hash using pbkdf2 from the crypto library:
crypto.pbkdf2(password, salt, iterations, keylen, digest, callback)
Sample implementation:
const crypto = require('crypto');
crypto.pbkdf2('secret', 'salt', 100000, 512, 'sha512', (err, derivedKey) => {
if (err) throw err;
console.log(derivedKey.toString('hex')); // '3745e48...aa39b34'
});
here goes the reference: https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2_password_salt_iterations_keylen_digest_callback
It uses HMAC digest algorithm such as sha512 to derive a key of given length from the given password, salt and iterations. Pbkdf2 has similar slowness features like bcrypt. With PBKDF2, bcrypt, or scrypt, the attacker can only make a few thousand guesses per second (or less, depending on the configuration).
bcrypt will be more secure than crypto, simply because it's slower. However, here are some password functions I wrote in coffeescript using crypto (I join the create_password
parts with a '$', you'll see that split in check_password
):
create_password = function(passwd, method, salt) {
var hmac;
method || (method = "sha1");
salt || (salt = crypto.randomBytes(6).toString('base64'));
hmac = crypto.createHmac(method, salt);
hmac.end(passwd);
return {
hash: hmac.read().toString('hex'),
salt: salt,
method: method
};
};
check_password = function(hashed, passwd) {
var hash, hashp, method, salt, _ref;
_ref = hashed.split("$"), method = _ref[0], salt = _ref[1], hashp = _ref[2];
hash = create_password(passwd, method, salt).hash;
return hash === hashp;
};
Example usage:
passwd = "SOME STRING HERE"
hash_parts = create_password(passwd)
hashed = pwd_parts.method + "$" + pwd_parts.salt + "$" + pwd_parts.hash
check_password(hashed, passwd)
As of 24th April 2020 There is a nice built in way of hashing passwords using scrypt
in the crypto
module. Its very secure since it utilizes a salt for hashing the password and its based off scrypt
// built right into nodejs
const crypto = require("crypto");
// salt - any random string here (ideally should be above 16 bytes)
const salt = "EoAZAJtVDdzPZmOxpx0EnqLmREYUfq";
function getHash() {
return crypto.scryptSync("your-password-here", salt, 32).toString("hex");
}
Note: i used 32 characters in length but you can specify your desired length
An alternative the bcryptjs. The concept is the same as bcrypt but no dependencies and compatible to bcrypt.
https://github.com/dcodeIO/bcrypt.js
https://www.npmjs.com/package/bcryptjs