Node.js password hashing bcrypt alternative using crypto

javascript node.js passwords cryptography bcrypt

10,841

Solution 1

You can hash using pbkdf2 from the crypto library:

crypto.pbkdf2(password, salt, iterations, keylen, digest, callback)

Sample implementation:

const crypto = require('crypto');
crypto.pbkdf2('secret', 'salt', 100000, 512, 'sha512', (err, derivedKey) => {
  if (err) throw err;
  console.log(derivedKey.toString('hex'));  // '3745e48...aa39b34'
});

here goes the reference: https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2_password_salt_iterations_keylen_digest_callback

It uses HMAC digest algorithm such as sha512 to derive a key of given length from the given password, salt and iterations. Pbkdf2 has similar slowness features like bcrypt. With PBKDF2, bcrypt, or scrypt, the attacker can only make a few thousand guesses per second (or less, depending on the configuration).

Solution 2

bcrypt will be more secure than crypto, simply because it's slower. However, here are some password functions I wrote in coffeescript using crypto (I join the create_password parts with a '$', you'll see that split in check_password):

  create_password = function(passwd, method, salt) {
    var hmac;
    method || (method = "sha1");
    salt || (salt = crypto.randomBytes(6).toString('base64'));
    hmac = crypto.createHmac(method, salt);
    hmac.end(passwd);
    return {
      hash: hmac.read().toString('hex'),
      salt: salt,
      method: method
    };
  };

  check_password = function(hashed, passwd) {
    var hash, hashp, method, salt, _ref;
    _ref = hashed.split("$"), method = _ref[0], salt = _ref[1], hashp = _ref[2];
    hash = create_password(passwd, method, salt).hash;
    return hash === hashp;
  };

Example usage:

passwd = "SOME STRING HERE"
hash_parts = create_password(passwd)
hashed = pwd_parts.method + "$" + pwd_parts.salt + "$" + pwd_parts.hash
check_password(hashed, passwd)

Solution 3

As of 24th April 2020 There is a nice built in way of hashing passwords using scrypt in the crypto module. Its very secure since it utilizes a salt for hashing the password and its based off scrypt

// built right into nodejs
const crypto = require("crypto");

// salt - any random string here (ideally should be above 16 bytes)
const salt = "EoAZAJtVDdzPZmOxpx0EnqLmREYUfq";
function getHash() {
  return crypto.scryptSync("your-password-here", salt, 32).toString("hex");
}

Note: i used 32 characters in length but you can specify your desired length

10,841

Author by

itsme

Updated on June 15, 2022

Comments

itsme almost 2 years
I'm actually using bcrypt module to hash and compare hashed passwords.

What i would like to do is to remove the bcrypt module and use the default crypto library both for hashing and comparing passwords.

Is this possible?

Will this be less safe than using node-bcrypt?

Do you have any example/tutorial/doc/link on how to do?

or example i'm doing like this actually:
```
bcrypt.hash(string,secret_key)
bcrypt.compare(string,string,secret_key);
```
i just would like to replicate this with crypto if possible:
```
crypto.hash(string,secret_key)
    crypto.compare(string,string,secret_key);
```