Skip to content

Instantly share code, notes, and snippets.

@nakaz
Forked from JoeKarlsson/README.md
Created August 10, 2017 02:35
Show Gist options
  • Save nakaz/820a4f16d255b9134186a6b91855a01b to your computer and use it in GitHub Desktop.
Save nakaz/820a4f16d255b9134186a6b91855a01b to your computer and use it in GitHub Desktop.
Lecture on password encryption, hashing, and bcrypt

How To Safely Store A Password

Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt.

Why Not {MD5, SHA1, SHA256, SHA512, SHA-3, etc}?

These are all general purpose hash functions, designed to calculate a digest of huge amounts of data in as short a time as possible. This means that they are fantastic for ensuring the integrity of data and utterly rubbish for storing passwords.

bcrypt Solves These Problems

How? Basically, it’s slow as hell. It uses a variant of the Blowfish encryption algorithm’s keying schedule, and introduces a work factor, which allows you to determine how expensive the hash function will be.

What is a Salt?

In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" a password or passphrase. Salts are closely related to the concept of nonce. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.

https://github.com/ncb000gt/node.bcrypt.js https://en.wikipedia.org/wiki/Bcrypt https://codahale.com/how-to-safely-store-a-password/

const bcrypt = require('bcrypt');
// genSalt - the cost of processing the data. (default - 10)\
const saltRounds = 10;
const myPlaintextPassword = 'password';
const someOtherPlaintextPassword = 'not_bacon';
bcrypt.genSalt(saltRounds, (err, salt) => {
bcrypt.hash(myPlaintextPassword, salt, (err, hash) => {
// Store hash in your password DB.
console.log('hash: ', hash);
// Load hash from your password DB.
bcrypt.compare(myPlaintextPassword, hash, (err, res) => {
// res == true
console.log(res)
});
bcrypt.compare(someOtherPlaintextPassword, hash, (err, res) => {
// res == false
console.log(res)
});
});
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment