Alternative to bcrypt for node js password hashing

Alternative to bcrypt for node js password hashing
0

#1

I am trying to make a login/signup webpage and i know that from security issues passwords need to be encrypted. I tried bcrypt but it is a bit complicated. So i would like to know what type of encryption do you recommend other than bcrypt.


#2

I go always with md5: https://www.npmjs.com/package/MD5


#3

never use md5 for hashing passwords(important things), it’s crackable.
bcrypt isn’t that hard, for every user save a salt and hashed password with
previous made salt.
search salt hash with bcrypt for more info.


#4

I use passport or passwordless to handle sign ups.

Having no password may be safer than having a password, unless you also use 2FA.


#5

I know that md5 it’s crackable with hash tables, big hash tables. Also, you should have access to db to try them. You know some articles to learn more about it?


#6

Perhaps you could tell us why you find bcrypt so hard? It may be a very simple problem to fix.


#7

It’s not that md5 is crackable exactly - reverse engineering a password from a hash is hard unless you have a table, it’s more that it’s relatively easy to stumble across md5 collisions (I.e different strings that result in the same hash) - so you don’t need to crack a password, you just need to crack something that has the same hash as the password.

To minimise this you can use a hashing algorithm with more bits, like sha256, so the probability of collision is far less, but even then rainbow tables containing known passwords and common passwords are still the downfall. You don’t need a particularly large table to crack most passwords, because most passwords are pretty bad.

Salting, which bcrypt relies on - though you could make your own - introduces something less guessable into the algorithm, so rainbow tables no longer work.


#8

Can you point me to a tutorial which teaches you how to create email auth with node? I’d love to learn how to add login/register functionality to websites with node.
I use react on the frontend.


#9

I wrote this for password-less authentication (just using a token in email)

but I didn’t use React, so you’d likely need to use something like JWT (json web tokens) as well. I haven’t tried that yet so not sure how complicated it is to implement.


#10

I dont think that it is necessary to learn about salt and complicate if there is a simpler solution. Plus i dont know the pros of using bscrypt.

It is a great idea but it makes the web app much more complicated to use which leads to less traffic.

I found md5 good enough but if it is not safe can you point me to a safer similar alternative.

However thank you all, this is my first topic and i like the way people help others.


#11

Simpler solutions leave your users vulnerable.

Either use third party login frameworks made by smarter people (PassportJS for example) or learn to do auth from scratch properly with hashing and salting.

It may be a little more effort, but people wanting to steal your users’ information are willing to put in effort to break your system. If someone is not willing to learn to do security properly, they have absolutely no business asking their users to trust them with private information.


#12

I’m confused here. Are you talking about using the bcrypt package, or implementing brcrypt (the algorithm) yourself? You should always use the package, which is pretty simple. You’ve already learned a lot of complicated stuff, so this should be child’s play. Try it out, and if you have any specific questions, ask them here.

Long story short, you’re not going to find an alternative to bcrypt if you can’t use bcrypt.


#13

There was a problem with the bcrypt package but i installed bcrypt-node and i use it now. Thank you for helping.