Correct way to store passwords in Node.js
Use bcrypt, why?
http://codahale.com/how-to-safely-store-a-password/
ncb000gt created an awesome module to do just that!
https://github.com/ncb000gt/node.bcrypt.js/
bcrypt.hash('password', 5, function( err, bcryptedPassword) {
//save to db
});
//to compare password that user supplies in the future
var hash = getFromDB(..);
bcrypt.compare(userSuppliedPassword, hash, function(err, doesMatch){
if (doesMatch){
//log him in
}else{
//go away
}
});
Huge props to ncb000gt (Nick Campbell) for making this awesome module
Written by Dmytro Yashkir
Related protips
3 Responses
Is this better or worse than hashing the password on the client? (Say with something like: http://crypto.stanford.edu/sjcl/)
They are different things bcrypt work factor prevents brute forcing the passwords stored on the server. When someone breaks into your system they will not be able to run a brute force and crack all the passwords of your users, since people tend to use same passwords all over the place this is very useful. Passwords are also salted. First link explains it better then I can
Great tip. Thanks for sharing.
I would recommend using the default 10 rounds when "salting", bcrypt.hash('password', 10, func ...