Menu
I'm looking for some examples of how to securely store passwords and other sensitive data using node.js and mongodb.
I want everything to use a unique salt that I will store along side the hash in the mongo document.
For authentication do I have to just salt and encrypt the input and match it to a stored hash?
Should I ever need to decrypt this data and if so how should I do it?
How are the private keys, or even salting methods securely stored on the server?
I've heard the AES and Blowfish are both good options, what should I use?
Any examples of how to design this would be wonderfully helpful!
Thanks!
258
js, MongoDB, and Mongoose, there will be times where you'll need to handle user passwords. Since it's a big no-no to store passwords as plain-text in your database, how are you supposed to handle and store them? The answer is to create what's called a hash of the password.
As of version 3.2, MongoDB has no native support for password hashing like some SQL databases provide, so you will have to implement it in Java. To generate a new account or change the password of an existing account: generate a cryptographically secure random salt value with java. security.
MongoDB represents the data as a collection of documents rather than tables related by foreign keys. This makes it possible for the varied types of data dealt over the internet to be stored decently and accessed in the web applications using Node. js.
Use this: https://github.com/ncb000gt/node.bcrypt.js/
bcrypt is one of just a few algorithms focused on this use case. You should never be able to decrypt your passwords, only verify that a user-entered cleartext password matches the stored/encrypted hash.
bcrypt is very straightforward to use. Here is a snippet from my Mongoose User schema (in CoffeeScript). Be sure to use the async functions as bycrypt is slow (on purpose).
class User extends SharedUser defaults: _.extend {domainId: null}, SharedUser::defaults #Irrelevant bits trimmed... password: (cleartext, confirm, callback) -> errorInfo = new errors.InvalidData() if cleartext != confirm errorInfo.message = 'please type the same password twice' errorInfo.errors.confirmPassword = 'must match the password' return callback errorInfo message = min4 cleartext if message errorInfo.message = message errorInfo.errors.password = message return callback errorInfo self = this bcrypt.gen_salt 10, (error, salt)-> if error errorInfo = new errors.InternalError error.message return callback errorInfo bcrypt.encrypt cleartext, salt, (error, hash)-> if error errorInfo = new errors.InternalError error.message return callback errorInfo self.attributes.bcryptedPassword = hash return callback() verifyPassword: (cleartext, callback) -> bcrypt.compare cleartext, @attributes.bcryptedPassword, (error, result)-> if error return callback(new errors.InternalError(error.message)) callback null, result Also, read this article, which should convince you that bcrypt is a good choice and help you avoid becoming "well and truly effed".
141
This is the best example I've come across to date, uses node.bcrypt.js http://devsmash.com/blog/password-authentication-with-mongoose-and-bcrypt
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
