Following on from my last post, I decided to have a look at a better solution for password hashing as the last example just used SHA1 which is far from optimal, so here are some changes to handle hashing via a pbkdf2 function which is far far better and far more secure.
The passport auth function now looking like
passport.use(new LocalStrategy(function(username, password,done){
Users.findOne({ username : username},function(err,user){
if(err) { return done(err); }
if(!user){
return done(null, false, { message: 'Incorrect username.' });
}
var iterations = 2500;
var keylen = 512;
var salt = user.salt;
var hash=new Buffer(crypto.pbkdf2Sync(password,salt, iterations, keylen), 'binary').toString('base64');
if (hash == user.password)
{
return done(null, user._id);
}
else
{
done(null, false, { message: 'Incorrect password.' });
}
});
}));
and this requires we have the following fields in the database (report) username,password and salt.
To add a new user to the database you could use a route as follows which accepts a post request :-
exports.adduser2 = function(db,crypto) {
return function(req, res) {
var collection = db.get('users');
var password= req.body.password;
var username = req.body.username;
var iterations = 2500;
var keylen = 512;
var salt = new Buffer(crypto.randomBytes(512)).toString('hex');
var hash=new Buffer(crypto.pbkdf2Sync(password,salt, iterations, keylen), 'binary').toString('base64')
collection.insert({
"username" : username,
"password" : hash,
"salt" : salt,
});
res.location("productlist");
res.redirect("productlist");
}
}
The number of iterations and key length and salt length can all be changed to increase difficulty but I belive thats pretty darn difficult with those options, but do ensure you use the same settings for key length and iterations for the adduser and the password checking functions!
Leave a Reply
You must be logged in to post a comment.