Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Store hashes of passwords #9

Open
zaaath opened this issue Dec 9, 2021 · 4 comments
Open

Store hashes of passwords #9

zaaath opened this issue Dec 9, 2021 · 4 comments

Comments

@zaaath
Copy link

zaaath commented Dec 9, 2021
edited
Loading

Store hashes of passwords instead of the original passwords. Optionally, apply salt to it.

Context

Currently, passwords seem to be stored in its original form in Local Storage under auth-db-fa5 key:

[
   {
      "user":{
         "uid":"548",
         "email":"[email protected]",
         "password":"demo"
      },
      "token":"eyJ1aWQiOiI1NDgiLCJlbWFpbCI6ImRlbW9AZ21haWwuY29tIiwicGFzc3dvcmQiOiJkZW1vIn0="
   },
   {
      "user":{
         "uid":"9798",
         "email":"[email protected]",
         "password":"test1",
         "name":"Leo"
      },
      "token":"eyJ1aWQiOiI5Nzk4IiwiZW1haWwiOiJ0ZXN0MUB0ZXN0LmNvbSIsInBhc3N3b3JkIjoidGVzdDEifQ=="
   }
]

This sets a bad example. I think it's much better to implement simple logic of using hashes instead (perhaps even including salt, but not necessary).
@zaaath zaaath changed the title Hash passwords Store hashes of passwords Dec 9, 2021
@zaaath
Copy link
Author

zaaath commented Dec 9, 2021

@gragland let me know if you want to see this implemented. I might be able to work on it.

@gragland
Copy link
Owner

Hey there, I'm not sure I understand the point of adding any kind of security here, as this is only meant to be used when prototyping and the code of this library isn't really intended to be a good example of a production auth system (which would look very different and hashing would happen on the server). Maybe you can clarify your reasoning?

@zaaath
Copy link
Author

zaaath commented Dec 14, 2021
edited
Loading

@gragland I understand that this library is for prototyping, and a production-level security is not needed. However, storing plain passwords might really damage your reputation. In my case, that surprised me, and not in a good way.

Perhaps, consider setting expectations clearly that the password will be stored unhashed when using fake-auth (on the registration form or as a pop-up).

@zaaath
Copy link
Author

zaaath commented Dec 14, 2021
edited
Loading

And by the way, it's really easy to use hashes (even with salt and multiple rounds). There is this library called bcrypt which produces a hash with only:

await bcrypt.hash(password, pwdSaltRounds);

this produces something like $2b$12$1mE2OI9hMS/rgH9Mi0s85OM2V5gzm7aF3gJIWH1y0S1MqVBueyjsy, see this stack overflow.
And then to verify password:

await bcrypt.compare(password, user.pwdHash);

I think any eng would appreciate this little security measure in fake-auth.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gragland @zaaath