Compare two password hashes -- nodejs

node.js hash cryptography
16,727

I think your problem is in the salt. Usually you have to store the salt you used to hash the first time and reuse it the second time around. The reason for the salt is to make sure that the hash doesn't map to the original pass if some hacker would retrieve it from a compromised system (using a rainbow table attack). See Why do we use the "salt" to secure our passwords?

If you would try 

var salt = crypto.randomBytes(128).toString('base64');

var hashPwd = function hashPwd(salt, pwd) {
    var hmac = crypto.createHmac('sha256', salt);
    return hmac.update(pwd).digest('hex');
};

//use password , create salt, hash and compare with the existing
var passHash = hashPwd(salt,data.Password);
console.log('the password is', user.PassHash === passHash);

It would work as long as you don't restart the server (assuming you store the salt var outside scope of the function invoked to respond to the http request).

A better solution (imo) is what bcrypt is doing. There you generate a salt per password, but to verify that a password is correct you use compare, which uses the salt stored in the hash. This way you can use different salts with each password, meaning you don't have to worry as much about a salt being compromised.

npm install bcrypt


var bcrypt = require('bcrypt');
var hash = bcrypt.hashSync("my password");

bcrypt.compareSync("my password", hash); // true
bcrypt.compareSync("not my password", hash); // false

There is also compareAsync and other async variants. See also: https://www.npmjs.com/package/bcrypt-nodejs

Share:
16,727
Nuru Salihu
Author by

Nuru Salihu

Updated on July 19, 2022

Comments

  • Nuru Salihu
    Nuru Salihu almost 2 years

    I am using a crypto https://nodejs.org/api/crypto.html for password encryption and authentication. I am working on the change password page and is having problem determining whether the password provided by the user has the same hash as the existing password. Below is my code.

    var createSalt = function createSalt() {
    return crypto.randomBytes(128).toString('base64');
};

var hashPwd = function hashPwd(salt, pwd) {
    var hmac = crypto.createHmac('sha256', salt);
    return hmac.update(pwd).digest('hex');
};

//use password , create salt, hash and compare with the existing
var salt = createSalt();
var passHash = hashPwd(salt,data.Password);
console.log('the password is', user.PassHash === passHash);

    I am expecting if the console message above to print true where existing user password match. However, the two hashes does not seem to match at all. Please what am i missing ? How do achieve this? I want to make sure users password match his existing password before he can change a new one. Any help would be appreciated.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Produce MD5 or SHA1 hash code to long (64 bits)
Getting error "wrong final block length" when decrypting AES256 cipher
HDEL, HSET not working in NodeJS
node-rsa errors when trying to decrypt message with private key
Golang md5 Sum() function
Node.js - Set padding in crypto module
Node.js password hashing bcrypt alternative using crypto
What kind of algorithm does .htpasswd uses?
What's the big deal with brute force on hashes like MD5
Calculating a hash code for a large file in parallel