Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

NodeJS: bcrypt vs native crypto

Tags:

node.js

cryptography

bcrypt

Can someone point out the differences between the two and example situations where use each?

bcrypt looks great.

like image 370
fancy Avatar asked Aug 05 '11 05:08

fancy

People also ask

Is bcrypt secure 2021?

The takeaway is this: bcrypt is a secure algorithm but remember that it caps passwords at 72 bytes. You can either check if the passwords are the proper size, or opt to switch to argon2, where you'll have to set a password size limit.

Is bcrypt better than SHA?

@sansappsec Specifically, bcrypt is a specific password hash that's better than multiple rounds of the SHA family, which are fast hashes.

Is bcrypt good enough?

"`bcrypt` was designed for password hashing hence it is a slow algorithm. This is good for password hashing as it reduces the number of passwords by second an attacker could hash when crafting a dictionary attack. "

Is bcrypt still the best?

A lot of your research is correct and still applies in 2021, so it is still secure to use BCrypt (which usually generates its own random salt for each password). Good password hashing algorithms are Argon2, SCrypt and BCrypt, they all offer a cost factor which controls the necessary time.

2 Answers

Use bcrypt where you want to do slow and computationally expensive hashing -- this will generally be for hashes where you really don't want an attacker to be able to reverse the hash, e.g. user passwords. Use native crypto for everything else.

like image 70
Mike Scott Avatar answered Sep 27 '22 02:09

Mike Scott

In companion with the @mike-scott's answer, you should prefer bcrypt for password related stuff but still you can use crypto for a wide range of tasks like create random tokens or a HMAC checksum or SHA1/MD5 hashes:

var crypto = require('crypto');   // random tokens var buf = crypto.randomBytes(16).toString('hex'); console.log('Random token of %d bytes in hexadecimal: %s', buf.length, buf); var buf = crypto.randomBytes(16).toString('base64'); console.log('Random token of %d bytes in base 64: %s', buf.length, buf);  // a hashed message authentication checksum (HMAC) using a shared secret key var string = 'My coffee please'; var key = 'Right away sir';  var encrypted = crypto.createHmac('sha1', key).update(string).digest('hex'); console.log('Encrypting "%s" using passphrase "%s": %s', string, key, encrypted);  // a MD5 hash var hashmd5 = crypto.createHash('md5').update(string).digest('hex'); console.log('The MD5 hash of "%s" is %s', string, hashmd5);   // a SHA1 hash var hashsha1 = crypto.createHash('sha1').update(string).digest('hex'); console.log('The SHA1 hash of "%s" is %s', string, hashsha1);
like image 27
Igor Parra Avatar answered Sep 27 '22 02:09

Igor Parra
Sign in to Comment

Related questions

why is javascript node.js not on google app engine
Running a node express server using webpack-dev-server
Express routes parameter conditions
Retrieve last inserted id with Mysql
webpack command not working
How to get a variable from a file to another file in Node.js
Multiple optional route parameters in Express?
Express Passport (node.js) error handling
configure node express to serve static bower_components?
Node.js - Get number of processors available
How to fix curl: (60) SSL certificate: Invalid certificate chain
NodeJS w/Express Error: Cannot GET /
MomentJS getting JavaScript Date in UTC
How can I solve "ReferenceError: expect is not defined" error message?
Make node.js not exit on error
How to update package-lock.json without doing npm install?
Why do we need, what advantages to use mongoose [closed]
Express.js get http method in controller
nodejs passport authentication token
Serve Static Files on a Dynamic Route using Express

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!