Re: [nodejs] How to future proof password hashes?
[Isaac Schlueter (2013-02-01 16:45:25 UTC)]
> The binary encoding is probably not ever going away. It may be
> deprecated, but people use it, and meh. It's not hurting anybody.
Good to know. I'll try to avoid it when possible, though. (Though I
suppose it might as well have been called the latin-1 encoding. I have
lived for years with latin-1 waiting for the world to support unicode.
We're almost there, but latin-1 encoded stuff is still everywhere.)
> The crypto API will return a buffer by default in 0.10. If you would
> like to get a binary encoded string, you can add this to your code now
> to future-proof it:
>
> crypto.pbkdf2(..., function(er, derivedKey) {
> if (typeof derivedKey === 'string') {
> derivedKey = new Buffer(derivedKey, 'binary');
> }
> [...]
*smacks forehead* Of course, should have thought of that, future
proofing not only the user database, but the code as well. Thanks.
- Harald
--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nodejs@googlegroups.com
To unsubscribe from this group, send email to
nodejs+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to nodejs+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [nodejs] How to future proof password hashes?
The binary encoding is probably not ever going away. It may be
deprecated, but people use it, and meh. It's not hurting anybody.
The crypto API will return a buffer by default in 0.10. If you would
like to get a binary encoded string, you can add this to your code now
to future-proof it:
crypto.pbkdf2(..., function(er, derivedKey) {
if (typeof derivedKey === 'string') {
derivedKey = new Buffer(derivedKey, 'binary');
}
saveToDatabaseOrWhatever(derivedKey.toString('base64'), cb)
}
Because pbkdf2 doesn't take an encoding argument, there's no other way
to make this work, unfortunately.
See:
http://nodejs.org/docs/latest/api/crypto.html#crypto_proposed_api_changes_in_future_versions_of_node
and
http://nodejs.org/docs/v0.9.8/api/crypto.html#crypto_recent_api_changes
On Thu, Jan 31, 2013 at 3:14 PM, Daniel Rinehart wrote:
> Slightly OT. Besides future proofing due to upcoming crypto changes you
> might want to look into a module like bcrypt to help prevent against
> improvements in password cracking software: https://npmjs.org/package/bcrypt
>
> -- Daniel R. [http://danielr.neophi.com/]
>
>
> On Thu, Jan 31, 2013 at 5:41 PM, Harald Hanche-Olsen
> wrote:
>>
>> I'd like to store user password hashes in a database.
>>
>> When a new password is created, I get some bytes from
>> crypto.randombytes to use as salt, then feed the salt and password to
>> crypto.pbkdf2 (along with an iteration count and size).
>>
>> I convert the salt with salt.toString('base64') in order to save it in
>> the password database.
>>
>> I have noticed that the resulting key from pbkdf2 is essentially a
>> binary coded string; so convert it using
>> new Buffer(derivedKey,'binary').toString('base64')
>> before saving it to the database.
>>
>> However, I see that the crypto API is going to change to using buffers
>> rather than binary encoded strings. Also, the 'binary' encoding is
>> going away.
>>
>> That is fine and well, but what do I need to do to ensure that the
>> password hashes will be the same after the crypto API changes?
>>
>> I understand I will have to rewrite the code, of course, but I want to
>> be able to use the same old hashes so that the password database can
>> still be used.
>>
>> Can I expect the future crypto.pbkdf2 to produce a buffer identical to
>> today's new Buffer(derivedKey,'binary')?
>>
>> Also, what is most future proof – to feed the binary salt as a buffer
>> to pbkdf2, or the stringified version thereof?
>>
>> - Harald
>>
>> --
>> --
>> Job Board: http://jobs.nodejs.org/
>> Posting guidelines:
>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
>> You received this message because you are subscribed to the Google
>> Groups "nodejs" group.
>> To post to this group, send email to nodejs@googlegroups.com
>> To unsubscribe from this group, send email to
>> nodejs+unsubscr...@googlegroups.com
>> For more options, visit this group at
>> http://groups.google.com/group/nodejs?hl=en?hl=en
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "nodejs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to nodejs+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>
> --
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nodejs@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "nodejs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nodejs+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nodejs@googlegroups.com
To unsubscribe from this group, send email to
nodejs+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to nodejs+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [nodejs] How to future proof password hashes?
Slightly OT. Besides future proofing due to upcoming crypto changes you
might want to look into a module like bcrypt to help prevent against
improvements in password cracking software: https://npmjs.org/package/bcrypt
-- Daniel R. [http://danielr.neophi.com/]
On Thu, Jan 31, 2013 at 5:41 PM, Harald Hanche-Olsen wrote:
> I'd like to store user password hashes in a database.
>
> When a new password is created, I get some bytes from
> crypto.randombytes to use as salt, then feed the salt and password to
> crypto.pbkdf2 (along with an iteration count and size).
>
> I convert the salt with salt.toString('base64') in order to save it in
> the password database.
>
> I have noticed that the resulting key from pbkdf2 is essentially a
> binary coded string; so convert it using
> new Buffer(derivedKey,'binary').toString('base64')
> before saving it to the database.
>
> However, I see that the crypto API is going to change to using buffers
> rather than binary encoded strings. Also, the 'binary' encoding is
> going away.
>
> That is fine and well, but what do I need to do to ensure that the
> password hashes will be the same after the crypto API changes?
>
> I understand I will have to rewrite the code, of course, but I want to
> be able to use the same old hashes so that the password database can
> still be used.
>
> Can I expect the future crypto.pbkdf2 to produce a buffer identical to
> today's new Buffer(derivedKey,'binary')?
>
> Also, what is most future proof – to feed the binary salt as a buffer
> to pbkdf2, or the stringified version thereof?
>
> - Harald
>
> --
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nodejs@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "nodejs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nodejs+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nodejs@googlegroups.com
To unsubscribe from this group, send email to
nodejs+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to nodejs+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [nodejs] How to future proof password hashes?
Yes, the buffers will be identical.
danmilon.
On 02/01/2013 12:41 AM, Harald Hanche-Olsen wrote:
> I'd like to store user password hashes in a database.
>
> When a new password is created, I get some bytes from
> crypto.randombytes to use as salt, then feed the salt and password to
> crypto.pbkdf2 (along with an iteration count and size).
>
> I convert the salt with salt.toString('base64') in order to save it in
> the password database.
>
> I have noticed that the resulting key from pbkdf2 is essentially a
> binary coded string; so convert it using
> new Buffer(derivedKey,'binary').toString('base64')
> before saving it to the database.
>
> However, I see that the crypto API is going to change to using buffers
> rather than binary encoded strings. Also, the 'binary' encoding is
> going away.
>
> That is fine and well, but what do I need to do to ensure that the
> password hashes will be the same after the crypto API changes?
>
> I understand I will have to rewrite the code, of course, but I want to
> be able to use the same old hashes so that the password database can
> still be used.
>
> Can I expect the future crypto.pbkdf2 to produce a buffer identical to
> today's new Buffer(derivedKey,'binary')?
>
> Also, what is most future proof – to feed the binary salt as a buffer
> to pbkdf2, or the stringified version thereof?
>
> - Harald
>
--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nodejs@googlegroups.com
To unsubscribe from this group, send email to
nodejs+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to nodejs+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [nodejs] How to future proof password hashes?
I'm going to be that guy and point out that this is a bullshit reply. He asked a perfectly reasonable question about the crypto api. On that note, my reply is also a bullshit reply :). On Thursday, January 31, 2013, Angel Java Lopez wrote: > Ummm... maybe your database already has a function to save password hashes > > On Thu, Jan 31, 2013 at 7:41 PM, Harald Hanche-Olsen > > > wrote: > >> I'd like to store user password hashes in a database. >> > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to > nodejs@googlegroups.com > To unsubscribe from this group, send email to > nodejs+unsubscr...@googlegroups.com 'nodejs%2bunsubscr...@googlegroups.com');> > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to nodejs+unsubscr...@googlegroups.com 'nodejs%2bunsubscr...@googlegroups.com');>. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to nodejs@googlegroups.com To unsubscribe from this group, send email to nodejs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [nodejs] How to future proof password hashes?
Ummm... maybe your database already has a function to save password hashes On Thu, Jan 31, 2013 at 7:41 PM, Harald Hanche-Olsen wrote: > I'd like to store user password hashes in a database. > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to nodejs@googlegroups.com To unsubscribe from this group, send email to nodejs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
