Bad default settings about credential HOT 4 OPEN

After some quick searching it seems there is at least nothing bad in what you're suggesting, and it does give a ~2x speedup on hashing, which I fear an attacker could get for free anyway.

I implemented your suggestions in this version of the library: https://github.com/srcagency/credentials. A review would be much appreciated :)

from credential.

There should be a limit of 20 bytes to prevent this.

I'm open to a PR to fix these issues.

from credential.

@tjconcept I meant to reply to this last week. Your "~2x speedup on hashing" comment made me think there was something wrong with Node's PBKDF2 implementation. Anyway I found a bug in Node and I guess I had telemetry on or it's a massive coincidence, but it got fixed within 24 hours. Which was before I decided to reported it.

Anyway your settings are no longer bad but are wasteful because of space. A 512 bit salt and 512 bit hash are "stupid long". 256 bits for each is "crazy long but I can see someone arguing it" (see above). 128 bits for each is great. Consider changing default length from 64 to 16 (or 18 so that it's dividable by 6 because of base 64 and it's at least 16)... 24 is fine as that's a nice-ish base 2 number that's also dividable by 6. So from an OCD perspective 24 is ideal and well beyond long enough for authentication. Also 18 is 144 bits which is 😎 a gross number of bits.

from credential.

Thanks.

So, what you are suggesting is:

• Use SHA-256
• Use a 256 bits salt
• Use a key length of 24

Currently the key length is set to be "same as salt", and I read somewhere that some of these parameters should be the same - I don't remember which - but can you share your view on that (which parameters are related/should be equal)?

it got fixed within 24 hours

Do you have a link for the commit/issue?

from credential.