Package Exports

secure-password

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (secure-password) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

Secure Passwords for node.js

Overview

This simple package was inspired by the pwstore package for Haskell. It features a simple way to create fairly secure passwords for a node.js.

The security is enhanced by a salt, created via the crypto.randomBytes(). But the other part is the digesting, done with an algorithm of your choice, several thousand times.

Using

To get it, simply do

pw = require('secure-password');

Then you have access to two functions:

pw.makePassword(pass, iter = 10, algo = 'sha256', saltLen = 32)

This returns a password string for storing, made from the cleartext in pass. A new salt of length saltLen is randomly created, then the given algo is applied to it, 2**iter times. The result is a string of the form
```
  'sha256|10|qKal7b94KPw0hC5y3/3vcPSu3yn4jYn1dYyd6ouppWU=|yxrJwBgIZPR0+0bNGlRyfqHRfMLCq0yu'
```
The default value for iter is 10. This is ok as a value for low-end servers that have to do a lot of these, but modern system should use 12 or higher. The higher this value, the longer the hashing takes. A rainbow table attack takes longer, with the salt even more so.
pw.verifyPassword(pass, stored)

This is the other side of the function. Very simple, just give is the cleartext password given by the client and throw in the stored one from makePassword. It will simply return true or false, or throw an exception if stored doesn't seem to be of the right format.

Notes

Despite the package name, this is only a way for enhance security for password storing. The actual security depends on the application and storage method.