Npm Password Hashing Libraries
When are Password Hashing Libraries Useful
Password hashing libraries are particularly useful when creating secure application environments, where the handling and storage of user information is involved. They provide essential functionality to secure application user data:
- Security: Hashing passwords is a fundamental approach to securing password in transit and at rest, it turns plain text information into a digest that's not reversible.
- Authentication: They are vital in systems that need user authentication. During user registration and login, password hashes are used to verify identity.
- Data Protection: In case of a data breach, hashed passwords help keep user password data safe since they cannot be reverse-engineered.
Functionalities of Password Hashing Libraries
The main functionalities provided by password hashing libraries generally involve the creation and comparison of hashed passwords:
- Hashing Functionality: At a fundamental level, these libraries provide a hash function that takes a password as an input and returns a hashed string.
- Salt Generation: Salting is the process of appending or prepending a unique, random string known as a 'salt' to a password before hashing it, to protect against lookup tables or rainbow table attacks. Most libraries provide a function to generate this salt.
- Hash Comparison: Password hashing libraries usually provide a function to compare hashes. This function is used during user authentication to compare the hash of the user input with the stored hash.
Gotchas/Pitfalls to look out for
When using password hashing libraries, there are a few areas where caution is needed:
- Up-to-date Libraries: In npm, the published date and the version number is important. Older libraries might have vulnerabilities that are been fixed in the newer versions.
- Well-maintained Libraries: Check if the library is maintained regularly. Libraries that are not periodically updated can have security flaws.
- Avoid Fast Hash Functions: Fast hash functions like MD5, SHA1, or SHA256 are not suitable for hashing passwords as they are vulnerable to brute force attacks. So, choose the library that uses slow hashing functions like Bcrypt or Scrypt.
- Verify Salt Handling: Check if the library supports salting. Without it, two users with the same password would have the same hash. It also increases vulnerability to rainbow table attacks.
- Check for Constant-time comparison function: In order to prevent timing attacks, the hash comparison function needs to run in “constant time”, i.e. the time it takes to run should not depend on the data being checked. Some libraries may not provide this functionality, which can pose a security risk.