erming
commented
10 years ago Yeah, this is important. I'm on my way home from work right now, will start working on this when I get home.
Closed furier closed 10 years ago
erming
commented
10 years ago Yeah, this is important. I'm on my way home from work right now, will start working on this when I get home.
furier
commented
10 years ago Good to hear @erming.
What should also be considered is encrypting all communication, logs etc one user has with the server. I am not talking about HTTPS here...
What I mean is, that no other user then the owner should be able to read one users logs or communication by having access to memory or log files stored on disc.
erming
commented
10 years ago Does anyone know a library that works in the browser, as well as on the server? (npm package preferably)
I found https://code.google.com/p/crypto-js/ It has support for SHA-2 and SHA-3. Which method do you guys think should be used?
furier
commented
10 years ago idk if this is good but i found it in my bookmarks: https://github.com/bitwiseshiftleft/sjcl
vorpalhex
commented
10 years ago Use bcrypt, serverside only, and use hashing, for storing passwords.
Everything else should be server-driven encrypted/decrypted via a user provided key or second password.
furier
commented
10 years ago The thing is if shout should encrypt every users logs etc. the users password would be needed, it wouldnt be enough with the hash alone...
vorpalhex
commented
10 years ago Nope. Use a second password for the encryption/decryption of logs and data. This is used by ProtonMail and similar, and it provides a second layer of protection for users. The test for the password is if it successfully decrypts their data.
furier
commented
10 years ago A second password known to others then the user? Because that would be insecure. If I am not understanding you correctly, please enlighten me. :)
vorpalhex
commented
10 years ago Nope. A second password known only to the user. User logs in with two passwords.
furier
commented
10 years ago What website in this universe uses two passwords for login? Not counting YUI-Key and Authenticators etc...
vorpalhex
commented
10 years ago Protonmail, keybase if I recall. Anything with user provided encryption keys.
vorpalhex
commented
10 years ago Some banks do this as well, re, Navy Federal in the US.
erming
commented
10 years ago Ok, I found this one: https://github.com/ncb000gt/node.bcrypt.js
I will also implement a shout reset <user> command, which lets you reset/generate a new hash.
Lets get crackin'. I'll report back soon.
erming
commented
10 years ago Here it is: https://github.com/erming/shout/commit/428f63946b44259e50f4d6f5b26bab6994cac638
Feel free to try it. It uses bcrypt with the cost factor of 8 (good enough?).
I'm going to add shout reset before I close this issue, shouldn't take too long.
erming
commented
10 years ago Done: https://github.com/erming/shout/commit/d53c0716e611bffc613ab383bc125e9d64d41d28
I'm closing this issue now.
jhnlsn
commented
10 years ago Navy fed no longer uses 2 passwords. On Sep 11, 2014 3:56 PM, "dark12222000" notifications@github.com wrote:
Some banks do this as well, re, Navy Federal in the US.
— Reply to this email directly or view it on GitHub https://github.com/erming/shout/issues/89#issuecomment-55318872.
Encrypt passwords in user.json, or store the hash of the password and compare the hash with the hash of the provided password for login.