iplanwebsites
commented
5 years ago +1 . Have you guys found a workaround to avoid using Bcrypt?
Open brendanlong opened 6 years ago
iplanwebsites
commented
5 years ago +1 . Have you guys found a workaround to avoid using Bcrypt?
netpedro-com
commented
4 years ago @iplanwebsites consider replace passwordless-mongostore by passwordless-mongostore-bcrypt-node
brendanlong
commented
4 years ago Removing this entirely might be complicated if you want to maintain backwards compatibility, but two easy fixes for the performance issue would be to replace the hard-coded difficulty of 10 with either the lowest-allowed value (probably 1 or 4), or add an option so people can set it themselves.
This storage backend uses
bcryptto hash the tokens, but it shouldn't be necessary. The purpose of bcrypt is to take a low-entropy string and turn it into a high-entropy key, but we don't have that problem since the tokens are randomly generated and by default already have 2^128 bits of entropy.Note that the number-based tokens would not be secure, but I'm not convinced they're secure even with
bcrypt, since they only have 4-bytes of entropy.The other reason for hashing is to protect people's other accounts if their password is leaked, but since this is a random token, we don't have that problem either.
Hashing the token does one thing for security, which is preventing an attacker with read access to the database from logging in, but you could get just as much protection with one round of SHA-1.
In case you're thinking this doesn't matter:
bcryptlibrary adds a significant amount of complexity as shown by the-bcrypt-nodeversions of each backend