Node.js 密码散列 bcrypt 替代使用加密
[英]Node.js password hashing bcrypt alternative using crypto
问题描述
I'm actually using bcrypt module to hash and compare hashed passwords.
我实际上使用bcrypt模块来散列和比较散列密码。
What i would like to do is to remove the bcrypt module and use the default crypto library both for hashing and comparing passwords.我想要做的是删除bcrypt模块并使用默认的crypto库来散列和比较密码。
Is this possible?这可能吗?
Will this be less safe than using node-bcrypt ?这会比使用node-bcrypt更不安全吗?
Do you have any example/tutorial/doc/link on how to do?你有任何关于如何做的例子/教程/文档/链接吗?
or example i'm doing like this actually:或者例如我实际上是这样做的:
bcrypt.hash(string,secret_key)
bcrypt.compare(string,string,secret_key);
i just would like to replicate this with crypto if possible:如果可能的话,我只想用加密复制这个:
crypto.hash(string,secret_key)
crypto.compare(string,string,secret_key);
4 个解决方案
解决方案1
8 已采纳 2014-04-02 19:02:16
You can hash using pbkdf2 from the crypto library:您可以使用加密库中的 pbkdf2 进行哈希处理:
crypto.pbkdf2(password, salt, iterations, keylen, digest, callback)
Sample implementation:示例实现:
const crypto = require('crypto');
crypto.pbkdf2('secret', 'salt', 100000, 512, 'sha512', (err, derivedKey) => {
if (err) throw err;
console.log(derivedKey.toString('hex')); // '3745e48...aa39b34'
});
here goes the reference: https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2_password_salt_iterations_keylen_digest_callback这里有参考: https : //nodejs.org/api/crypto.html#crypto_crypto_pbkdf2_password_salt_iterations_keylen_digest_callback
It uses HMAC digest algorithm such as sha512 to derive a key of given length from the given password, salt and iterations.它使用 HMAC 摘要算法(例如 sha512)从给定的密码、salt 和迭代中导出给定长度的密钥。 Pbkdf2 has similar slowness features like bcrypt. Pbkdf2 具有与 bcrypt 类似的缓慢特性。 With PBKDF2, bcrypt, or scrypt, the attacker can only make a few thousand guesses per second (or less, depending on the configuration).使用 PBKDF2、bcrypt 或 scrypt,攻击者每秒只能进行几千次猜测(或更少,取决于配置)。
解决方案2
3 2014-04-02 18:38:48
bcrypt will be more secure than crypto, simply because it's slower. bcrypt 将比crypto 更安全,仅仅因为它更慢。 However, here are some password functions I wrote in coffeescript using crypto (I join the create_password parts with a '$', you'll see that split in check_password ):但是,这里有一些我使用crypto在coffeescript中编写的密码函数(我用'$'加入create_password部分,你会在check_password看到分割):
create_password = function(passwd, method, salt) {
var hmac;
method || (method = "sha1");
salt || (salt = crypto.randomBytes(6).toString('base64'));
hmac = crypto.createHmac(method, salt);
hmac.end(passwd);
return {
hash: hmac.read().toString('hex'),
salt: salt,
method: method
};
};
check_password = function(hashed, passwd) {
var hash, hashp, method, salt, _ref;
_ref = hashed.split("$"), method = _ref[0], salt = _ref[1], hashp = _ref[2];
hash = create_password(passwd, method, salt).hash;
return hash === hashp;
};
Example usage:用法示例:
passwd = "SOME STRING HERE"
hash_parts = create_password(passwd)
hashed = pwd_parts.method + "$" + pwd_parts.salt + "$" + pwd_parts.hash
check_password(hashed, passwd)
解决方案3
2 2020-04-24 09:36:00
As of 24th April 2020 There is a nice built in way of hashing passwords using scrypt in the crypto module.截至2020 年 4 月 24 日,在crypto模块中使用scrypt有一种很好的内置散列密码方式。 Its very secure since it utilizes a salt for hashing the password and its based off scrypt它非常安全,因为它使用盐来散列密码并基于 scrypt
// built right into nodejs
const crypto = require("crypto");
// salt - any random string here (ideally should be above 16 bytes)
const salt = "EoAZAJtVDdzPZmOxpx0EnqLmREYUfq";
function getHash() {
return crypto.scryptSync("your-password-here", salt, 32).toString("hex");
}
Note: i used 32 characters in length but you can specify your desired length注意:我使用了32 个字符的长度,但您可以指定所需的长度
解决方案4
0 2017-07-21 11:12:34
An alternative the bcryptjs. bcryptjs 的另一种选择。 The concept is the same as bcrypt but no dependencies and compatible to bcrypt.概念与 bcrypt 相同,但没有依赖关系并且与 bcrypt 兼容。
https://github.com/dcodeIO/bcrypt.js https://github.com/dcodeIO/bcrypt.js
https://www.npmjs.com/package/bcryptjs https://www.npmjs.com/package/bcryptjs
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.