Comments (16)
I'd rather not expire my users passwords, but in stead just silently replace hashes with stronger ones
on log in. I think this has to be handled in user land. Something along the lines of:
- fetch user from storage
- verify
- if hash i considered outdated, save a new hash from cleartext password
from credential.
For safety, password should expire periodically, anyway. Not frequently, but annually isn't terrible.
from credential.
Both those password update options should be out-of-scope for this library, anyway, since they really have nothing to do with password hashing and verification, and everything to do with your UX. Detecting that the password is out of date should be enough to get the ball rolling.
from credential.
Yes, but that is the responsibility of the application IMO.
I propose a method such as "expired(hash, threshold) -> bool"
Is there maybe a better word than "expired"? Something stating; this hash could be better.
A threshold and a more-than-annual increase would be nice to avoid having all users upgrade at 01.01.2016 00:00:00 on the same server each hour ;-)
from credential.
Well, you said it. We were actually more on the same page than I realized.
from credential.
👍
How about "untrusted" instead of "expired"?
from credential.
Want to take a crack at a PR?
from credential.
Would love to, will try to squeeze it in this weekend.
from credential.
Awesome. 👍
from credential.
It seems that if there isn't an explicit iteration count included with the hash, so there would need to be either a year
or created
field added so that the hashes can be calculated and compared. This was my concern in #9.
from credential.
I've seen #9, and I think the iteration count should be stored as well. I think this is what scrypt does as well (https://github.com/barrysteyn/node-scrypt).
from credential.
I'm willing to ditch the hidden work unit modifier in favor of storing the year in the hash.
from credential.
Go ahead with the breaking change. I think that basing iterations on the current year is much more secure than the security by obscurity in the "hidden" iteration count. ;)
from credential.
Awesome.
The stored hash should IMO be independent from the implementation such that you can freely update/enhance the implementation without invalidating the whole database.
from credential.
I think #14 should be solved first/independently as this seems more like a smaller enhancement to the "determine iterations"-logic.
But I'll happily have a crack at it all in the weekend.
from credential.
Sounds like a great plan. Thanks! 👍
from credential.
Related Issues (20)
- I can't make the cli work HOT 8
- Verifying with a pre-parsed JSON object HOT 4
- What if an attacker know that I am using this library? HOT 9
- The use of "time" - a weakness worth noting? HOT 13
- Why hash() just return string rather than object? HOT 2
- fix failing CI server
- Does it really needs webpack? HOT 7
- Node v6 deprecation - "crypto.pbkdf2 without specifying a digest is deprecated" HOT 3
- Release v2.0.0 on npm HOT 3
- Support bcrypt hashing method? HOT 1
- performance optimisation HOT 4
- Make errors programmatically processable HOT 7
- Do not encourage people to write security issue in public places HOT 1
- Default number of iterations seems extreme HOT 2
- Due to the large number of iterations, Its consuming the full CPU usage. HOT 7
- Update deps, freshen code, release new major version. HOT 7
- Bad default settings HOT 4
- the 'verify' function takes too much time, about 1.3 seconds HOT 2
- Inconsistent use of bytes length/encodings? HOT 3
- Hash and Verify taking too much time HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from credential.