One of my projects is using the bcrypt
module for hashing secrets. A handful of people complain that it's hard to install because of it's dependencies. I've tried to install it on a Windows Server before, it's not a walk in the park.
People are asking me to use pure Javascript drop-in replacements such as dcodeIO/bcrypt.js and shaneGirish/bcrypt-nodejs. But I really don't know the security implications of using them. Are they just as reliable?
Provided that these implementations are correct, you should use the fastest bcrypt available, which most likely means non-JS implementation.
You should assume that an attacker has the most quickest implementation available, and you want to slow the attacker down by increasing the cost of computation as much as you reasonably can.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With