I am currently using the following for encrypting passwords:
var pass_shasum = crypto.createHash('sha256').update(req.body.password).digest('hex');
Could you please suggest improvements to make the project safer?
I use the follwing code to salt and hash passwords.
var bcrypt = require('bcrypt');
exports.cryptPassword = function(password, callback) {
bcrypt.genSalt(10, function(err, salt) {
if (err)
return callback(err);
bcrypt.hash(password, salt, function(err, hash) {
return callback(err, hash);
});
});
};
exports.comparePassword = function(password, userPassword, callback) {
bcrypt.compare(password, userPassword, function(err, isPasswordMatch) {
if (err)
return callback(err);
return callback(null, isPasswordMatch);
});
};
bcrypt also can be called synchronously. Sample Coffeescript:
bcrypt = require('bcrypt')
encryptionUtil =
encryptPassword: (password, salt) ->
salt ?= bcrypt.genSaltSync()
encryptedPassword = bcrypt.hashSync(password, salt)
{salt, encryptedPassword}
comparePassword: (password, salt, encryptedPasswordToCompareTo) ->
{encryptedPassword} = @encryptPassword(password, salt)
encryptedPassword == encryptedPasswordToCompareTo
module.exports = encryptionUtil
Also there is bcrypt-nodejs module for node. https://github.com/shaneGirish/bcrypt-nodejs.
Previously I used already mentioned here bcrypt module, but fall into problems on win7 x64. On the other hand bcrypt-nodejs is pure JS implementation of bcrypt and does not have any dependencies at all.