PaulC91 / shinyauthr

R package with shiny authentication modules
https://paulc91.github.io/shinyauthr/
Other
428 stars 81 forks source link

Added salting to the password #60

Open TaillandyV opened 2 years ago

TaillandyV commented 2 years ago

Added hashing directly to enhance the security, hashed keys are stored in "password" and the salt is added. This will proceed as such:

The salt given to this user + password entered by the user are hashed using sha-256 then compared to the hashed stored in the database for this user. If it is the same, connect the user if not don't connect the user.

This change allows for enhanced security; the passwords are not stored (Let it be on the app, on a database when shiny is launched remotely or if the source code is found.) , only the hashed result and the salt can be found.

Check for more information on salting : https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/

TaillandyV commented 2 years ago

Hi,

This is a version that I have just modified for my own use, so it is not up for deployment but I though the idea could lead to a better version of shinyauthr if the user could choose.

Thanks for shinyauthr !

PaulC91 commented 2 years ago

Hi, there is already password hashing options provided via the sodium package. This is designed to protect against brute force attacks whereas algorithms such as sha-256 are not. See https://github.com/PaulC91/shinyauthr#hashing-passwords-with-sodium and #13 for details.