Storing password, using bcrypt and one salt.

ian-james / IFS

Immediate Feedback System for student programming assignments and essay writing

MIT License

5 stars 6 forks source link

Storing password, using bcrypt and one salt. #156

Closed ryoung2512 closed 5 years ago

ryoung2512 commented 6 years ago

Currently, we are using bcrypt and just one salt across all passwords to store passwords in the database. We should be randomly generating a salt each time someone makes a password and using that. This is a security issue. Is there any particular reason this design decision was made?

ian-james commented 6 years ago

I believe the hashSync does generate a salt each time within their code. I've we're still using the same version of bcrypt.

However, if we're changing this we might want to look at using the LDAP instead of generating passwords at all.

If you want to change this or take this on please do.

ian-james commented 5 years ago

Closing this issue, as bcrypt handles tis.