Deprecated in favor of modules requiring compilation; is there no good solution using node's built-in crypto module? #10
Comments
|
Both bcrypt and scrypt are password-based key derivation functions. The node crypto module HAS an equivalent style function, PBKDF2, which has been around for a while (I recall it being in 0.6.x if not earlier). The issue from a compatibility standpoint is that password-hash exposes as synchronous API, whereas PBKDF2 has been asynchronous until 0.10.0, when they added a synchronous version. Let me think about the best way to add support for this. Ideally, Out of curiosity, what makes you not trust C++ code that has the attention of security researchers? Do you consider that less secure than a JavaScript module? |
|
I separately queried the bcrypt devs, who gave an excellent explanation of I occasionally have issues with self-hosted customers who are stubborn On Tue, Aug 5, 2014 at 9:07 AM, David Wood [email protected] wrote:
*THOMAS BOUTELL, *DEV & OPS |
|
PBKDF2, bcrypt, and scrypt are similar in general approach, but the general consensus is that scrypt > bcrypt > PBKDF2. That being said PBKDF2 has received more security professional review and is what NIST recommends. I'll work PBKDF2 into the module this week. |
I understand you've deprecated this module. I'm writing to ask if there are alternatives you consider secure that take advantage of node's built-in crypto module as a backend and do not require the compilation of custom C++ code beyond that. That could reduce the overall amount of attackable C++ code in the system. It's also convenient where compilation is unwelcome, although I recognize that's a secondary concern.
I'm also wondering if there's any urgency to migrate off this module completely and force users to generate new passwords. I've been using it with its default settings for some time.
The text was updated successfully, but these errors were encountered: