Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security Differences with bcrypt Node.js Modules

Tags:

node.js

bcrypt

One of my projects is using the bcrypt module for hashing secrets. A handful of people complain that it's hard to install because of it's dependencies. I've tried to install it on a Windows Server before, it's not a walk in the park.

People are asking me to use pure Javascript drop-in replacements such as dcodeIO/bcrypt.js and shaneGirish/bcrypt-nodejs. But I really don't know the security implications of using them. Are they just as reliable?

like image 716
jedireza Avatar asked Apr 02 '14 04:04

jedireza


1 Answers

Provided that these implementations are correct, you should use the fastest bcrypt available, which most likely means non-JS implementation.

You should assume that an attacker has the most quickest implementation available, and you want to slow the attacker down by increasing the cost of computation as much as you reasonably can.

like image 191
dchest Avatar answered Sep 28 '22 01:09

dchest