Comments (6)
I am not really an expert on this but my take is: as long as compute power increases, any hash would eventually become vulnerable. That is why you should rehash your users passwords with ever more cycles from time to time. A log containing "old" hashes would entirely defeat this purpose.
If you read some comments on the #16 issue, you will understand though, that all efforts in this regards are, when taking it to a high enough level, obsolete. So one conclusion could be; as passwords are inherently weak, the vector from computers getting faster is too small in comparison to care about (things like educating users is better "real security"-per-time-wise).
Anyway, if you have the option to avoid them in the logs, I would say do that.
from credential.
Avoid logging anything password related.
from credential.
thank you for your answers. One thing I'm not sure to get right is how iterations are control: when Thomas, you say hashing with ever more cycles, how do I control that with credential
? There is no parameter for that right? Will the future releases progressively increase iterations in the default hash
function?
from credential.
There is no parameter for that right
Yes there is; work
and it has an initial value of 1
. You can double the iteration count be setting it to 2
, making you hashing take twice as long.
Will the future releases progressively increase iterations
It does so already: https://github.com/ericelliott/credential/blob/master/credential.js#L96-L100
The number of iterations increases every second making each new hash slightly stronger than the previous.
You'll have to implement the code to do the actual updating of current hashes yourself though (e.g. when a user logs in, because you need the clear text password), and that is what the expired
method (https://github.com/ericelliott/credential/blob/master/credential.js#L111-L116) is for.
Be aware that the current release on npm does not include these last to features though, and that work
parameter was called workUnits
and had an initial value of 60
.
I hope we get a new release soon though (see #24).
from credential.
oh, right, in the configure
method. Thanks for the tips!
Two ideas for the readme:
- adding a statement for new comers on the level of trust we can have in default settings, like, is there a need to use the configure function at all for a "normal" app
- a statement or an example illustrating where this configure function should be called: I guess right after the
require('credential')
, but is it affecting the configuration in all the application or just in the current module?
from credential.
a statement or an example illustrating where this configure function should be called: I guess right after the require('credential'), but is it affecting the configuration in all the application or just in the current module?
This is a good question, and reveals a bit of a design flaw in the current version of Credential. Normally, when you require something, you get a singleton. Since the .configure()
method directly changes this
and there's no particular instance, options are likely to be application-wide.
This could be easily corrected by making credential
a factory (as is the case with all the default Express middleware, and Express, itself).
I think we should do that for the next version.
from credential.
Related Issues (20)
- I can't make the cli work HOT 8
- Verifying with a pre-parsed JSON object HOT 4
- What if an attacker know that I am using this library? HOT 9
- The use of "time" - a weakness worth noting? HOT 13
- Why hash() just return string rather than object? HOT 2
- fix failing CI server
- Does it really needs webpack? HOT 7
- Node v6 deprecation - "crypto.pbkdf2 without specifying a digest is deprecated" HOT 3
- Release v2.0.0 on npm HOT 3
- Support bcrypt hashing method? HOT 1
- performance optimisation HOT 4
- Make errors programmatically processable HOT 7
- Do not encourage people to write security issue in public places HOT 1
- Default number of iterations seems extreme HOT 2
- Due to the large number of iterations, Its consuming the full CPU usage. HOT 7
- Update deps, freshen code, release new major version. HOT 7
- Bad default settings HOT 4
- the 'verify' function takes too much time, about 1.3 seconds HOT 2
- Inconsistent use of bytes length/encodings? HOT 3
- Hash and Verify taking too much time HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from credential.